Cybersecurity researchers from Cisco Talos have discovered two vulnerabilities in the Zoom video-conferencing application that could allow a malicious user to execute arbitrary code on victims’ machines. Cisco Talos worked with Zoom, and a patch is available. The first security vulnerability (CVE-2020-6109) resided in the way Zoom leverages GIPHY service, recently bought by Facebook.
Although Zoom is getting popular day by day in these pandemic days, the company has too many problems related to security. The new vulnerability is one of them. The researchers explained the vulnerability, saying,
“An exploitable path traversal vulnerability exists in the Zoom client, version 4.6.10 processes messages including animated GIFs. A specially crafted chat message can cause an arbitrary file write, which could potentially be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to exploit this vulnerability.”
According to the researchers, under the second vulnerability numbered as CVE-2020-6110, a specially crafted chat message can cause an arbitrary binary planting, which could be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to trigger this vulnerability. The researchers also talked about two possible scenarios, saying,
“First, without user interaction, it can be abused to plant arbitrary binaries on target system albeit at a constrained path potentially used in exploiting another vulnerability. Secondly with user interaction, plant binaries at almost arbitrary paths and can potentially overwrite important files and lead to arbitrary code execution.”
Both flaws are path traversal vulnerabilities that can be exploited to write or plant arbitrary files on the systems running vulnerable versions of the video conferencing software to execute malicious code. Cisco Talos researchers tested both flaws in version 4.6.10 of the Zoom client application, and responsibly reported it to the company.