Background

There are many organizations and individuals that create their own encryption schemes. While there are security advantages to using a custom scheme, the disadvantages are magnified when the software using the scheme has a large number of users.  Zoom is one company that uses its own proprietary encryption scheme, and a serious security vulnerability related to that encryption was discovered. As a result of this vulnerability, the information of more than 500,000 Zoom Meeting users has been leaked.

Because of the COVID-19 pandemic, governments have been enforcing shelter in place orders, which has led to employees working from home. To work effectively, they must stay securely connected and communicate. Zoom is a tool that many people, worldwide, use to help them do that. In fact, many companies use it as their main communication medium, making this vulnerability a serious problem.

Why did it happen?

In an April Zoom blog post, Zoom explains they don’t currently implement actual end-to-end encryption, though they have called their encryption end-to-end. They have used the term to describe a type of transport encryption between devices and Zoom severs. As a result, theoretically, Zoom has the ability to decrypt and monitor Zoom Meeting information, once that information is on the server.

Where is the vulnerability?

The video and audio data of Zoom meetings is distributed to all participants through a Zoom server (Zoom’s cloud). When customers choose to host on-premises, Zoom generates and has access to the AES key that encrypts the meeting. Meeting hosts can set their meetings to have virtual waiting rooms, which denies meeting attendees direct access to a Zoom meeting. Instead, attendees must wait to be allowed in by the meeting host. (According to The Citizen Lab researchers). However, each person in the waiting room has access to the meeting’s decryption key. So, a malicious actor does not have to actually join the meeting to access the meeting’s video and audio stream.

Another critical security issue with Zoom’s encryption was reported. According to previously released documents, the Zoom application has used AES-256 algorithm to encrypt meeting content. But, the Zoom application actually uses a single 128-bit encryption key instead.

Finally, Zoom encrypts and decrypts all audio and video during meetings using AES in ECB mode. ECB encryption is not recommended because it is semantically insecure, meaning that simply observing ECB-encrypted ciphertext can leak information about the plaintext. ECB mode is used in the same block (8 or 16 bytes) of plaintext encryption that always yields the same block of ciphertext. This can allow an attacker to detect that ECB-encrypted messages are identical or contain repetitive data, share a common prefix, other common sub-strings.

For more detail, there is a nice graphical demonstration of this weakness on Wikipedia

This encryption vulnerability was reported as CVE-2020-11500.

More information about this vulnerability is available at https://metadefender.opswat.com/vulnerabilities/CVE-2020-11500

Potential Effects

It will be easier for attackers to decrypt meeting content and violate user privacy.

How does OPSWAT detect Zoom vulnerability?

OPSWAT technologies can monitor all endpoints in organization that have this vulnerability.

MetaAccess can detect devices that have Zoom vulnerability CVE-2020-11500, as well as provide remediation instructions.

Remediation

It is strongly recommended that you always keep Zoom up-to-date.

Source:https://www.opswat.com/blog/the-confidentiality-of-zoom-meetings-detection-remediation-with-opswat