theDocumentId => 1340626 Zoom Joins Microsoft Teams on List of Enterprise ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/8/2021
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Zoom Joins Microsoft Teams on List of Enterprise Tools Hacked at Pwn2Own

White-hat hacking event shows yet again why there's no such thing as foolproof security against modern attacks.

A pair of security researchers at the virtual Pwn2Own hacking contest Wednesday exploited a combination of three individual zero-day bugs in the Zoom client to show how attackers could gain complete remote control of any PC or notebook computer on which the video communications software is installed.

Related Content:

Microsoft Teams, Exchange Server, Windows 10 Hacked in Pwn2Own 2021

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

The exploit came barely a day after another researcher at Pwn2Own demonstrated code execution on Microsoft Teams, which, like Zoom, has seen a surge in use since the global COVID-19 pandemic forced an increase in remote work at many organizations. The two exploits — and several others against Microsoft Exchange Server, Windows 10, and other technologies — have served as a further reminder of just how vulnerable some core enterprise software and communication products are to modern attacks.

"One of the biggest trends we see is that the participants continue to evolve and adapt to the targets," says Brian Gorenc, senior director of vulnerability research and head of ZDI at Trend Micro, which organizes the event each year. "Even as vendors make exploitation more difficult, contestants find a path to win."

The Zoom exploit garnered security researchers Daan Keuper and Thijs Alkemade of Dutch firm Computest Security an award of $200,000 and 20 so-called Master of Pwn points. Their exploit involved chaining together three bugs in the Zoom messenger client to gain code execution on a target system, without the user have to click or do anything. A Computest statement described the exploit as giving the two researchers control to execute actions on the device running the Zoom client, such as turning on the camera and microphone, reading emails and screen content, and downloading browser history. All of the actions could be taken without the user having to do anything or even noticing the activity.

Unlike previously disclosed vulnerabilities in the Zoom app that mostly allowed for attackers to snoop on video calls, the newly discovered ones are more serious because they give threat actors a way to take over the entire system, Computest said.

A Zoom spokesman Friday acknowledged the issue in the Zoom Chat group messaging product and said the company is currently working on its mitigation. In a statement, the spokesman said the attack demonstrated by the Computest researchers would need to originate from an accepted external contact or be part of the target's same organizational account.

"As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust," the statement noted. "If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center."

The Zoom exploit was one of several high-profile exploits at a Pwn2Own event where some $1.5 million is up for grabs to security researchers who can find and demonstrate exploitable vulnerabilities in a selected list of products across seven categories. Target products included Microsoft Exchange Server and SharePoint under the server category; Teams and Zoom in the enterprise communications section; Microsoft Edge, Google Chrome, and Apple Safari in the browser category; and Adobe Reader and Microsoft Office 365 ProPlus under the enterprise applications category. In a sign of the times, Tesla's Model 3 car was also one of the targets available to researchers.

The annual Pwn2Own contest was launched in 2007 and is part of the CanSecWest security conference. Over the years, the event has become a venue for some of the top white-hat hackers in the world to congregate and take a crack at widely used and popular technologies. The event has become a security proving ground of sorts for technology vendors and has been useful in helping them identify and close vulnerabilities they might have missed themselves. The organizers of Pwn2Own give vendors 90 days to fix vulnerabilities that are disclosed to them at the event.

"The contest has certainly grown and expanded over the last few years," Gorenc says. "We've added categories for automobiles and enterprise communications while maintaining traditional targets like Web browsers and operating systems."  

Numerous Exploits
In the first two days of the three-day contest, security researchers from around the world punched holes in multiple widely used technologies and raked in tens of thousands of dollars in the process.

Jack Dates of RET2 Systems won $100,000 for exploiting an integer overflow error in Apply Safari and an out-of-bounds write issue to get kernel-level code execution. He picked up another $40,000 for combining three vulnerabilities in the Parallels Desktop virtualization software for Apple Macs to execute code on the underlying OS.

Dates' Parallels Desktop exploit was one of two that involved the virtualization technology at this year's Pwn2Own. On Thursday, security researcher Benjamin McBride of L3Harris Trenchant used a memory corruption bug in Parallels Desktop to escape the virtualization layer and execute code on the underlying OS. Like Dates, McBride earned $40,000 for his effort.

Researchers at DEVCORE Security Consulting, meanwhile, picked up $200,000 for showing how attackers could completely take over a Microsoft Exchange server by combining an authentication bypass vulnerability with a local privilege escalation issue in the technology. The discovery is sure to add to the already high concerns around Exchange server prompted by the recent disclosure of four critical zero-day bugs in the technology.

Independent security researcher OV demonstrated code execution on Microsoft Teams by combining a pair of bugs and was paid $200,000 for the effort. A team from Viettel Cyber Security earned $40,000 for showing how attackers could take advantage of an integer overflow bug in Windows 10 to escalate privileges from a regular user to a user with system-level privileges.

Bruno Keith and Niklas Baumstark from Dataflow Security exploited Google Chrome renderer and Microsoft Edge using the same exploit against both browser technologies and netted $100,000 as a reward for their work.

"The biggest takeaway so far is just the breadth of talent that comes to the competition," Gorenc says. "It's great to see the current art of exploitation in action against a variety of targets."   

The exploits targeting Microsoft Exchange Teams and Zoom have been the most significant so far, he says.

"We've already seen the impact Exchange bugs have on enterprises this year, so finding and fixing these bugs before they are used by attackers is huge," Gorenc notes.

Similarly, Microsoft Teams and Zoom are nearly ubiquitous. But there hasn't been a lot of research done on their security.

"Getting researchers to focus their interest here provides the vendors a great resource in resolving these vulnerabilities before they can be used by adversaries," Gorenc says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
CVE-2021-3169
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
CVE-2020-20741
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...
CVE-2021-25808
PUBLISHED: 2021-07-23
A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file.