SECURITY ALERT: Zoom Under Scrutiny in Wake of UNC Patch Injection Issue Disclosure
Zoom Bug May Leak Network and Personal Data to Malicious Actors
Amid the coronavirus outbreak, Zoom Video Communication, the California-based video remote conferencing company that has become the backbone of the entire work-from-home effort, struggles to contain what can easily turn into a massive data leak.
Coined the UNC patch injection issue by @_g0dmode “Mitch”, the cybersecurity researcher who identified it in the first place, this vulnerability can be exploited to steal Windows login credentials and network information. Despite being notified in regards to the issue, Zoom has yet to come up with a more permanent solution.
Zoom has, no doubt, become an indispensable communication tool and an asset for companies who want to ensure business continuity for the duration of the pandemic.
According to The Guardian, the company has registered a 1,500% growth in shares, as more and more investors rally around Zoom’s banner. As we speak, Yuan’s brainchild has overtaken its competitors including Skype for Business, Microsoft Teams, Google’s Meet, Slack, etc. However, this “voracity” comes at a cost, as cybersecurity researcher @_g0dmode recently pointed out.
The choice for using Zoom is an obvious one – video over audio and text. Facetime is as important as exercising during remote work to promote solidarity among employees. Zoom, as most of its competitors, has many useful business-oriented features such as link-sharing, online collaboration, workspaces.
UNC Patch Injection Issue
In regards to link-sharing, tools such as Zooms usually convert URLs to shareable hyperlinks. Nothing out of the ordinary about that; in fact, this process allows the user to open the link in a web browser. This is where things tend to get a little complicated.
Per observations, Zoom’s agent doesn’t only transform URL’s into shareable hyperlinks but, at the same time, discloses UNCs (Universal Naming Convention) paths. Why does this point toward a data breach?
Going back to the basics, as you know, UNC is the standard that allows you, the user, to identify files, servers, printers, or other resources in a network (i.e. company network, home network, etc.).
UNC provides a bird-eye view to every device, file or resource that exists in a pre-defined network.
Here’s what a regular UNC path looks like “//Kansas\Example\Wicked.txt”. Now, to access the text document Wicked, you would have to call up the directory (“Example”) and the shared server it’s hosted on (“Kansas”).
So, what happens if someone would open a UNC path link? Your endpoint will attempt to open a connection to a remote site. This is achieved via an SMB (Server Message Block), a network-sharing protocol. During this negotiation, your OS shares, by default, your login name and the NTLM (NT Lan Manager) credential hash.
If the SMB server that handles these requests would be under the control of a malicious actor (hacker), then, on clicking the UNC path link, Windows will automatically leak all this info. One would be inclined to say that the malicious actor has no use for this info since nothing is stored in plaintext.
However, as @_g0dMode (Mitch) pointed out, this hash can be cracked in the blink of an eye, using open-source tools. It gets even worse – if the user forgot to change his password or uses a one, the cracking process becomes even easier.
Following the cybersecurity analyst’s disclosure, Zoom has informed all of its customers that it has taken the necessary steps to solve (and, possibly, mitigate) this issue. No timeline has been announced. Meanwhile, Microsoft has released a possible workaround for the UNC patch injection issue. I will cover this in the upcoming section.
Zoom’s #1 on the hitlist
This isn’t Zoom’s only blunder. In July 2019, EPIC (Electronic Privacy Information Center) filed a complaint against the Californian company, after several cybersecurity analysts brought to attention the fact that the Zoom app was, allegedly, designed to bypass several layers of security imposed by web browser, to access the user’s camera.
This was (allegedly) done without the user’s express consent or knowledge, for that matter. Zoom’s retort was to take down all the remote servers.
Unfortunately, Zoom’s list of blunders doesn’t end here. Recently, the company received a major backlash after Motherboard revealed that Zoom’s iOS application was covertly harvesting user data and sending it to third-parties, including Facebook.
Allegedly, this data, which included chat rolls, personal notes, audio, and video recordings, would be used in targeted Facebook advertisements and other marketing endeavors. The purpose of this article is to provide you with insight on the latest UNC patch injection issue, not to do a ‘Zoom blunders body-count’, so I’m going to stop right here.
Heimdal® Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
How to use Zoom safely while working from home
I’ve put together a small list of useful advice on how to protect your data and privacy while using Zoom from home.
Restricting NTLM: Outgoing NTLM traffic to remote servers
Let’s talk about the elephant in the room, which in this case is Microsoft’s ‘hotfix’. While waiting for Zoom to remediate the issue, you can try out this temporary solution. Note that this solution only works for machines running Windows 10.
If you have admin-type rights, run the Group Policy Editor and select Computer Configuration. From there, head to Windows Setting à Security Options àNetwork security: Restrict NTLM: Outgoing NTLM traffic to remote servers. Select the Deny all option and save changes.
If you’re denied access to the Group Policy Editor, try this workaround. Run the registry editor. Select HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0. Right-click on the screen, select “New”, and then select “DWORD (32-bit) Value”. Rename the newly created DWORD value to RestrictSendingNTLMTraffic. Double-click on the renamed parameter and assign it the value “2”.
Review and update your Zoom privacy settings
Before reviewing your privacy settings, ensure that your machine runs the latest Zoom version. Do keep in mind that malicious actors will always try to exploit security breaches such as unpatched or outdated apps. On the latter, I would recommend an automatic updater app to avoid the need of having to manually update them.
Heimdal™ Threat Prevention, our company’s award-winning DNS traffic-filtering solution, solves two major issues: blocks malicious connections to prevent malware from reaching your device and updating your apps and software on the fly.
In regards to Zoom privacy, I would also advise you to use a second device for other tasks (i.e. replying to a colleague’s DM, checking your email, Googling) to avoid Zoom’s notorious attention-tracking widget. Also, it would be a good idea to log in with your Zoom credentials than with your Facebook account to avoid data harvesting.
The UNC patch injection issue remains unsolved. We are (eagerly) expecting some sort of articulated response from Zoom, considering that a whopping number of companies relies on Zoom’s software to ensure business continuity. I will update this article as soon as Zoom releases a permanent fix for the issue.
This is really to 90% Microsoft’s fault, for still having the horrid NTLM authentication protocol on by default in domain-managed machines, instead of what they should have done long ago, namely to only allow Kerberos authentication instead. What you describe as a “hot fix” is really the real and only permanent solution to this entire class of issues. “Zoom” is by no means the only application that allows an attacker to lure a user into opening a UNC path and therefore opening up an NTLM authentication oracle for abuse. Zoom is just one, currently particularly head-line grabbing, brand name in this context. Microsoft, please bury NTLM authentication quickly. It’s not a proper authentication protocol in so many way. It’s dangerous. Use Kerberos!
Would disabling the windows SMB protocols 1.0, 2.0 and 3.0 also mitigate this vulnerability?
jeg synes at os der stadig har flere maaneder som er betalt skal have den baste daekning for virus, saa hvis I laver et nyt og bedre program skal vi overflyttes til dette,