Information disclosure in Zoom client

1) Exposure of Resource to Wrong Sphere

EUVDB-ID: #VU51622

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-28133

CWE-ID: N/A

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists within the screen lock functionality due to the way the Zoom client for Windows and Linux handles screen sharing. When a user shares a specific application window via the Share Screen functionality, other meeting participants can briefly see contents of other application windows that were explicitly not shared.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zoom Client for Windows: 5.0.0 23168.0427 - 5.5.4 13142.0301

Zoom Client for Linux: 5.1.418436.0628 - 5.5.2 7011.0206

External links

http://seclists.org/fulldisclosure/2021/Mar/48
http://thehackernews.com/2021/03/new-zoom-screen-sharing-bug-lets-other.html
http://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-044.txt
http://www.syss.de/pentest-blog/syss-2020-044-sicherheitsproblem-in-screen-sharing-funktionalitaet-von-zoom-cve-2021-28133
http://www.youtube.com/watch?v=SonmmgQlLzg
http://zoom.us/trust/security/security-bulletin

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.