-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-048 Product: Zoom Manufacturer: Zoom Video Communications, Inc. Affected Version(s): 5.11.9 (8040) Tested Version(s): 5.11.9 (8040) Vulnerability Type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2022-08-25 Solution Date: 2022-11-07 Public Disclosure: 2022-11-11 CVE Reference: CVE-2022-28764 Author of Advisory: Christian Zäske, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Zoom is a video conferencing and messaging software with support for many different devices. Some of the supported features as described by the manufacturer are the following (see [1]): * Unparalleled usability Enable quick adoption with virtual meeting capabilities that make it easy to start, join, collaborate, and schedule meetings across any device. * Join anywhere, on any device Zoom Meetings syncs with your calendar system and delivers streamlined enterprise-grade video conferencing from desktop, mobile and dedicated Zoom for Home Devices. * Powerful virtual meeting security Robust security settings help to ensure disruption-free virtual meetings, with encryption, role-based security, Passcode protection, Waiting Rooms, and more. Due to the storage of in-meeting chat messages with a per-device key, messages from the last meeting can be viewed without authentication of the used Zoom account. Access to the OS user who used Zoom is required. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When users exchange messages in a Zoom meeting, these messages are saved in a local SQLCipher database[4]. With the usage of a per-device-key, the database can be accessed and the messages including sender name and timestamp from the last meeting can be viewed in plain text. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The in-meeting chat functionality exposes sensitive information to an unauthorized actor. If chat messages get exchanged in a meeting room, these messages get stored in the "zoommeeting.enc.db" file inside the "data" directory of the Zoom installation folder. This SQLCipher database file can be accessed with a per-device-key which gets stored in plain text on Linux (~/.config/zoomus.conf) or encrypted with DPAPI on Windows (%AppData%/Zoom/data/Zoom.us.ini). Access to the OS user who used Zoom is required. DPAPI can only decrypt the key with the user that created it, and the specified files on Linux and Windows only grant read access to this user. The sent and received messages from the last meeting can be viewed in plain text without further authentication of the Zoom user. The messages do not get deleted after the meeting is finished. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Delete the "zoommeeting.enc.db" file if the messages are no longer required. Zoom will recreate the file when needed. Update to version 5.12.6 which patches the vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-08-10: Vulnerability discovered 2022-08-25: Vulnerability reported to manufacturer 2022-11-07: Patch released by manufacturer 2022-11-11: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Zoom https://explore.zoom.us/en/products/meetings/ [2] SySS Security Advisory SYSS-2022-048 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-048.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Website of SQLCipher https://www.zetetic.net/sqlcipher/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Christian Zäske of SySS GmbH. E-Mail: christian.zaeske@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_Zaeske.asc Key ID: 0x7B00D164A32F9AC9 Key Fingerprint: 51D4 6E9B 3C29 7347 AC01 0F5A 7B00 D164 A32F 9AC9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUdRumzwpc0esAQ9aewDRZKMvmskFAmNryFsACgkQewDRZKMv mslU5w//VrYQ2QyDMkuHticfJf02A+9ANY8rvaOMYThTKxRb2XQwiX1fzsMXN74R /ilQ3jnbOVtciu0c8GNVJWXp8jyVobzlETZlPd/z7v8dr62FTzvZ0GOIja4tEEt6 zVoD/O3gcjzqN9XHCf7mGa4S3n1HUldtKuYntJA01cT/7WB1sU/3fN66OI6fn5WD r/aJ3orG1Xi1fatkgH3CO4yDkR43zRQIofUZ9MBM6Q1l3VhNlTNGBeL5F0GLmohG mOxsC939ajcaDRK2ZWxaSxFcdCKShMUnzfvXKAePJY+wK4UsenOIQnFmO0s/lIfn 7iqAngEgtfoUxblkQ09igqUlVAV9GXMNMxUgy03V5nvY/CGS3zH4Os+bzSGTm3ua leWZ/FeQANEoaHcJklh35eH9YOyfhDaBU+cPw06D3fDORAuJPLY1FLdHYDaciny0 zHlNEcjq29VUTkHCXbnRCAFqOjDBMMzYLevF4VTZevxTaMjYo15PkNdhqGlVxvF5 8RVWEO4mjIDtndiPvRIzzcfapY1LK+fjyMsqROzA2G20w9hSPcZkrjUkehdSMarB xL0wwGe1TsLaecPLUgpTIXwpRfjqB3cqpebsoxBx8tRuf5EWz0MD1t4wagwCt/q1 rsH1xLaCZwHHKFlFDtc97t/g+BYyn95znnkdG3dHTfFhO0drv+E= =ewKb -----END PGP SIGNATURE-----