Remote Conferencing: Windows Clients Vulnerability

Update: On Thursday, April 2, 2020, Zoom released a security patch for this vulnerability. Please update Zoom to the latest version.

Security researcher @_g0dmode wrote about a vulnerability in Zoom’s Windows Client, though this attack can be leveraged in any chat system that allows the sending of hyperlinks. Users—or in this case, the attacker—can send Universal Naming Convention (UNC) paths in the chat window. A legitimate use case for this feature would be sending a link to a document on a file share relevant to the discussion. Many chat and conferencing applications automatically convert the UNC path into a hyperlink. The target user clicks on the hyperlink and their computer tries to connect to the remote site. By default, Windows sends the user’s login information and NTLM password hash. The attacker can then crack the users NTLM password hash.

Specific to Zoom, this path-hyperlink vulnerability also allows the attacker to send a UNC path to launch an executable on the target machine.

What You Need To Do

1. Deploy multifactor authentication for all remote access
2. Block port 139 and 445 outbound on your firewall
3. Prevent NTLM credentials from being sent to remote servers by configuring the following Group Policy to Deny All:

• Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

4. While you wait to test the above configuration changes, remind users to be wary of clicking on chat links

• If they did click on a link and received a Windows prompt to run a program, they should hit Cancel, which will not allow the program to run

Please remember to test all configuration changes, as they could cause issues when users attempt to access shares.

For more information please visit the following sources:

Bleeping Computer: Zoom Lets Attackers Steal Windows Credentials via UNC Links

Microsoft Support: Preventing SMB traffic from lateral connections and entering or leaving the network

SEAN D. GOODWIN, CCSP, CISA, CISSP, GCIA, GCIH, GCWN, GSEC, PCIP, QSA
IT ASSURANCE MANAGER
617-261-8139
[email protected]

WILLIAM J. NOWIK, CISA, CISSP, QSA, PCIP
PRINCIPAL
617-428-5469
[email protected]