Security Flaws in Zoom’s Linux Client Expose User Data Risks
Zoom Video Communications has recently addressed multiple security vulnerabilities within its Linux client that could jeopardize user data and system integrity. Two significant issues could allow an attacker with access to a compromised device to read and extract sensitive information from Zoom users or even execute malicious software as a subprocess of the trusted application. These vulnerabilities present a concerning challenge, especially in a landscape where video conferencing has become central to many businesses.
Cybersecurity researcher Mazin Ahmed brought these issues to light during his presentation at DEF CON 2020, highlighting a misconfigured development instance left exposed by Zoom, with no updates since September 2019. This oversight indicated a susceptibility to known flaws that remained unaddressed for an extended period. After Ahmed reported the vulnerabilities to Zoom in both April and July, the company released a security patch on August 3, 2020, in version 5.2.4.
For certain attacks to be executed, an attacker would need prior access to the target’s device through other means. However, this does not mitigate the severity of the identified vulnerabilities. Ahmed detailed how the Zoom Launcher utilized on Linux could inadvertently allow malicious software to run due to its execution process. This flaw could nullify application whitelisting protections, allowing threats to masquerade as trusted software, which constitutes a design oversight in security practices.
In a further analysis, Ahmed noted that an attacker could gain unauthorized access to Zoom user data and configuration by navigating to the local database, where chat messages are stored in plaintext. This security lapse is indicative of insufficient data protection protocols. Additionally, two more significant flaws were discovered: one involving an externally accessible Kerberos authentication service and another related to TLS/SSL that permits the injection of custom certificate fingerprints into the local Zoom database.
Zoom explained that while it allows user applications to operate at their respective privilege levels for safety reasons, the certificate injection flaw remains of concern. A heightened security posture would be advisable, especially given the potential for exploitation.
Ahmed also pointed out a memory leak vulnerability tied to the profile picture feature, which could allow attackers to upload a malicious GIF image. Although Zoom has stated this behavior does not represent a memory leak but rather a limitation of its image conversion process, the implications persist.
The company’s responses included taking down the exposed Kerberos authentication service to thwart possible brute-force attacks, and an acknowledgment of ongoing improvements targeting encryption methods for chat logs. Business users are advised to update their Zoom clients to the latest version to fortify defenses against these vulnerabilities.
In summary, Zoom has recognized the seriousness of these security findings, with a spokesperson thanking Ahmed for his disclosures and urging users to maintain up-to-date software. Data breaches and vulnerabilities relating to user security remain an ongoing concern, particularly amidst increasing reliance on digital communication platforms for both personal and professional interactions. Understanding the MITRE ATT&CK framework categorizes these issues under initial access, privilege escalation, and persistence tactics, emphasizing the multifaceted nature of cybersecurity challenges today.