Zoom Screen-Sharing Vulnerability displays Unauthorized Information

Overview of Zoom Vulnerability TIR-20210321

This report is about a vulnerability found in the popular virtual meeting application known as Zoom. The vulnerability has no known patch at the time this report was written. The vulnerability may allow users in the meeting to see information on a screen-share that they were not authorized to view.

Tactics, Techniques, and Procedures

Successful exploitation of this vulnerability occurs when a user shares a specific application on their screen such as a web browser but, for a short time other meeting participants can see the contents of open applications in the screen-share. Applications that are not explicitly shared can be seen by other users when newly created windows overlay the content being shared. Depending on the sensitivity of the environment and the level of privileges the affected user possesses this could increase or reduce the severity of the vulnerability. If the meeting is recorded then someone watching it can pause the recording and read the contents of the screen-share. The unintentionally shared content can really be seen if the meeting is being recorded as it flickers on the screen-share way too fast for the human eye to register in real-time. This vulnerability affects the Zoom client through version 5.5.4.

Business Unit Impact

• May lead to the leakage of sensitive information such as email inbox content.
• May provide for intelligence gathering opportunities depending on the type of content being briefly shared.

Our Recommendations

It is highly encouraged that you reduce the number of times screen-sharing is used by employees with external entities unless required by a certain user’s job function. Check the vendor’s website for updates and update the Zoom client when appropriate.

Sources

• https://exchange.xforce.ibmcloud.com/vulnerabilities/198406

Supporting Documentation

• https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-044.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28133
• MITRE Mapping(s)
  • https://attack.mitre.org/techniques/T1125/
  • https://attack.mitre.org/techniques/T1113/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.