Cisco Talos a cyber threat intelligence group found two Vulnerabilities in the video conferencing application which can let the malicious user exploit arbitrary code on victims’ machines. Cisco Talos operated along with Zoom and made patch accessible. The first security vulnerability (CVE-2020-6109) remained in the way Zoom takes full advantage of GIPHY service, recently bought by Facebook.
Patch now available
The video conferencing application is becoming popular as each day pass and has gained a huge audience in a short span. However, the organization has too many issues concerning security. The latest vulnerability is among them.
Explaining the vulnerability, researchers said that an exploitable route traversal vulnerability subsists in the Zoom client, version 4.6.10 means messages also contain animated GIFs. A uniquely developed chat message can create an inconsistent file write, which could be exploited to execute arbitrary code execution. An attacker requires transferring a specifically designed information to an end-user or a group to abuse this vulnerability.
As per the researchers following the second vulnerability sequenced as CVE-2020-6110, a specifically crafted chat message can create an inconsistent binary planting, which could be exploited to execute arbitrary code execution. An intruder requires to transfer a uniquely crafted information to an end-user or a group to trigger this vulnerability.
Talking about the two possible scenarios the researchers stated that initially without user interaction that it can be exploited to plant arbitrary binaries on the victim’s system at a forced path possibly utilized in exposing different vulnerabilities. Furthermore, with user interaction, plant binaries at almost arbitrary paths and can overwrite critical files and lead to arbitrary code execution.
Both the vulnerabilities are path traversal which can be abused to plant or write arbitrary code on vulnerable versions of video conferencing software. The flaw was found in version 4.6.10 of Zoom.