Unauthorized webcam access on zoom Mac client CVE-2019-13450

Security researcher Jonathan Leitschuh has disclosed a zero day in the zoom client for Mac, that allows an attacker to force a user join a zoom call with their webcam enabled. The disclosure blog also suggests that this could potentially lead to a remote code execution attack, but also notes that there is no evidence of a vulnerability vector for attack. According to the research, a web server running on port 19421 is present if zoom has ever been installed and though the researcher was not able to identify any vulnerabilities within it, he does cast speculation that it could be used for nefarious purposes.

Users can disable automatic video in zoom, which can be found here in your user settings:

Zoom has also responded to the disclosure, and has noted why the severity of this vulnerability is lower than the disclosure suggests, with additional information on how they’re going to improve the user experience to alleviate concerns in the future. Zoom also noted that the local DoS noted by the researcher (CVE-2019-13449) was fixed in May 2019 (Client version 4.4.2).

Tenable users can also use plugin 118800 for Mac, and plugin 118801 for Windows, to identify assets that have the zoom client installed.