Attack Chain

Given the limited information, the following attack chain is a hypothetical scenario based on typical local privilege escalation and information disclosure techniques:

1. Attacker gains initial local access to a system with Zoom Workplace or Rooms installed.
2. Attacker identifies a vulnerable Zoom process running with elevated privileges.
3. Attacker exploits a memory corruption vulnerability in the Zoom process to execute arbitrary code.
4. Attacker uses the compromised Zoom process to read sensitive files or memory regions accessible to the Zoom process.
5. Attacker leverages the compromised Zoom process to inject malicious code into other processes running with higher privileges.
6. Attacker uses the injected code to create a new user with administrative privileges.
7. Attacker logs in as the newly created user and gains full control of the system.

Impact

Successful exploitation of these vulnerabilities by a local attacker could lead to sensitive information disclosure and complete system compromise through privilege escalation. The vulnerabilities affect Zoom Workplace and Zoom Rooms, potentially impacting organizations that rely on these products for communication and collaboration.

Recommendation

• Monitor process creations for unusual child processes spawned by Zoom processes to detect potential privilege escalation attempts (see Sigma rule “Detect Suspicious Zoom Child Processes”).
• Monitor file access patterns of Zoom processes for attempts to access sensitive files outside of their normal operating scope (see Sigma rule “Detect Suspicious Zoom File Access”).
• Implement least privilege principles to limit the privileges of Zoom processes and reduce the potential impact of successful exploitation.