Skip to end of metadata
Go to start of metadata

Description

The zoom.us application has a security flaw thanks to a hidden web server that is installed along with the application.

https://nvd.nist.gov/vuln/detail/CVE-2019-13567

Affects versions of zoom.us below: 4.4.53932.0709

CVE-2019-13450

The following patch should also mitigate: https://nvd.nist.gov/vuln/detail/CVE-2019-13450

This threat also affects RingCentral as this is powered by zoom.us


Information

Once installed, zoom.us runs its own web server service.  This can be seen from running the following:

# lsof -i :19421
COMMAND   PID    USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
ZoomOpene 548 sholden    7u  IPv4 0xb47db4cc976decf3      0t0  TCP localhost:19421 (LISTEN)


This process can be killed and even removed, but you may notice it re-instal.  To mitigate this security flaw either:

  • Update  to version 4.4.53932.0709 or above - removes the zoom.us web service
  • Patch your macOS device with MRTConfigData version 1.45 or above - removes the zoom.us web service

Directions

Upgrade zoom.us

Updates may be downloaded from: https://zoom.us/download

This page also hosts a download for managed deployment, labelled "Download for IT Admin".  With the use of a pre-configured supporting file, the software may be configured during installation:

https://support.zoom.us/hc/en-us/articles/115001799006-Mass-Deployment-with-Preconfigured-Settings-for-Mac

As such, it should be possible to preset the video to be off, for example.  

  • Key: ZDisableVideo
  • Type: Boolean
  • Value: True

However, it appears that although the configuration plist file is placed in /Library/Preferences/, editing this file has no affect on the shown preference once the software is installed.  As such, consider re-isnstalling the software with this supporting file.


Update MRTConfigData

Apple have re-acted to this and have provided an update to their Malware Removal Tool.  Allowing this tool to update to version 1.45 or higher will remove the web service part of zoom.us if it exists.

If devices are already configured to "Install system data files and security updates" then this should instal automatically.

However, if this option is disabled, FileWave is able to push the update as a Software Update Fileset.  Searching for MRTConfigData should show version 1.45 (041-84505)



Considerations

It may be prudent to monitor the use of the software and devices to ensure they are protected.

FileWave already stores Application versions by default.  It is therefore possible to create an Inventory Query to show installations of zoom.us:

However, to report on the version of MRTConfigData would require a Custom Field which could be based upon:

defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString





  • No labels