Security researchers found a couple of vulnerabilities affecting the chat features of the popular video conferencing app Zoom that, if exploited, would have let attackers achieve arbitrary code execution.
While the mere mention of Zoom makes people think of video conferencing, the application has a number of other features that can harbor vulnerabilities. In fact, a couple of critical flaws were identified by Cisco researchers in the Chat feature; either would have been enough to give attackers a way to execute code remotely.
The first one, dubbed CVE-2020-6109, is an exploitable path traversal vulnerability affecting how the application processes animated GIFs.
“Only Giphy servers were originally supposed to be used for this feature in Zoom,” reads the advisory. “However, the content from an arbitrary server would be loaded in this case, which could be abused to further leak information or abuse other vulnerabilities.”
The second was an exploitable path traversal vulnerability that affected how code snippets are shared by generating a special zip archive.
“Zoom’s chat functionality is built on top of XMPP standard with additional extensions to support rich user experience,” say the researchers. “One of those extensions supports a feature of including source code snippets that have full syntax highlighting support. The feature to send code snippets requires installation of an additional plugin, but receiving them does not.”
The vulnerabilities affected the Zoom Client version 4.6.10. A patch correcting the problems has been issued already.
The company also announced a new policy when it comes to encrypting sessions, explaining that, basically, end-to-end encryption will be a feature available for paid accounts, companies, and educational entities using the platform.
The company determined that most of the abuse, such as zoom-bombing, for example, comes from users with free accounts. By not providing them with complete end-to-end encryption, it makes it easier for law enforcement and their own teams to investigate any incidents.