Zoom Path Injection Vulnerability
Security researchers have disclosed details of a path injection vulnerability in the Zoom remote conferencing client for Microsoft Windows. They claim a remote unauthenticated meeting attendee can exploit this vulnerability to obtain other attendee's usernames and NTLM credential hashes.
Summary
Security researchers have disclosed details of a path injection vulnerability in the Zoom remote conferencing client for Microsoft Windows. They claim a remote unauthenticated meeting attendee can exploit this vulnerability to obtain other attendee's usernames and NTLM credential hashes.
Affected platforms
The following platforms are known to be affected:
- Zoom Windows client - versions prior to 4.6.9
Threat details
By default, the Zoom client allows attendees to post URLs and universal naming convention (UNC) strings in the meeting chat section and automatically converts them into active links. Attendees attempting to interact with these links will result in Windows opening an SMB connection in order to access the links, sending the accessing attendee's username and NTLM credential hash in the process. An attacker can then use these in pass-the-hash attacks to access shared network resources, or dehash the credentials to obtain the user's password for use in future attacks. They may also use specific strings to automatically execute files on an affected attendee's system.
Remediation steps
| Type | Step |
|---|---|
|
Update Zoom has now released an updated Windows client (version 4.6.9) that addresses this vulnerability. Affected organisations should deploy the latest version of the client. |
Last edited: 29 June 2021 12:01 pm