On July 8th, Jonathan Leitschuh published a vulnerability report for the popular teleconferencing application Zoom:
“This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.”
With ¾ of a million companies relying on Zoom to conduct video meetings, the number of vulnerable individuals is staggering. If your organization currently uses Zoom, you may be stuck wondering which of your users are affected.
Thankfully, Kolide provides a clear path towards identifying unsafely configured devices and remediating the issue.
The Zoom team pushed changes to the client (in response to overwhelming pressure from the community) which removes the local webserver feature of the Zoom app and permits normal uninstallation:
July 9, 2019 Version 4.4.53932.0709 Download Type: Prompted Download here: Download Center
Option to uninstall Zoom Zoom users can now uninstall the Zoom application and all of its components through the settings menu.
Removal of the local web server Zoom will be discontinuing the use of a local web server on Mac and will be completely removed from the Zoom installation.
There are two main components of this vulnerability:
A persistent listening port that allows a meeting to be auto-joined by serving a malicious URL in an i-frame.
Your web-camera is activated by default when joining the meeting.
Kolide conveniently provides a list of all listening ports and the respective processes that are utilizing them via our Inventory feature.
Below we can see a gif filtering down to check whether the Zoom process is
listening on port
19421, and we see it is on 2 of our devices:
Next, we can check for who has their camera disabled by default.
This setting can be configured in Zoom by following these steps:
- Click on Preferences
- Go to the Video Tab
- Ensure the checkbox: “Turn off my video when joining a meeting” is checked.
Zoom stores this and several other preferences in a sqlite DB located at:
There is a value in the
zoom_kv table which encodes some of the various
preference settings as a string:
sqlite3 ~/Library/Application\ Support/zoom.us/data/zoomus.db "SELECT value from zoom_kv where key = 'com.zoom.pt.settings.general';" 304878224
That string can be converted from base-10 to binary:
100 1 0001011000001001010010000
If you count to the 26th position starting from the right
1 = Disable Camera by Default 0 = Enable Camera by Default
Kolide looks for this setting as part of our Vulnerable Apps Check. When it finds devices that do not have the checkbox checked, it automatically fires off a notification to your end user via Slack with information about the vulnerability, and instructions on how to protect themselves from being a victim of the exploit.