Blog

Security Policy Orchestration: Forescout Research examines response to Zoom zero-day

David Wolf | August 2, 2019

The Zoom zero-day hit. Then, Forescout Researchers were curious enough to venture forth to the emergency web conference of Zoom Video Communications, in which Zoom CEO Eric Yuan led his organization through its incident response to an uncomfortable Remote Code Execution (RCE) bug in its enterprise software.

The Zoom MacOS client vulnerability was interesting: It allowed any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission, perform denial-of-service, and automagically re-install the app. Apple has since silently removed affected applications from up-to-date devices by utilizing the Malware Removal Tool. Assetnote researchers discovered similar RCE product security issues and also pointed out the impact across Zoom’s white label partner supply chain.

Zoom’s Technology Challenge: Product Security Control
Behind the scenes, the challenge faced by Zoom neatly illustrated the challenges of maintaining leadership, architectural vision and product security control while developing apps and tools across many platforms. So many business apps. So many platforms. So many variants.
 
Sometimes, Technology and Financial Services companies share the same headache. Just as today’s Financial Services CISOs must endure the maintenance of countless internally-built applications, modern code-developing Technology firms like Zoom work to extend product security visibility – but the struggle is real. In this case, the surprise came from Zoom’s native Mac app.
 
The Supply Chain
‘So what’ if only Mac users were affected? There are 100 million Macs and countless enterprises use them. And the backstory provides an interesting supply chain threat model at a scale that just keeps getting bigger. Further supply chain challenges affect Zoom apps and its remarkable application capabilities through its partner program. At worst, any partner supply chain resembles how risk transferred from Business Associates (BAs) leads to breach in healthcare, and how partner software bundling exposes a broader application attack surface for suppliers like HP, Dell and Lenovo. Supply chain issues go both upstream and downstream, and they’re hard to manage.
 
Sometimes IoT Looks Like Magic
In the meantime, the IoT situation keeps getting weirder. “If any good technology is sufficiently indistinguishable from magic, some of the devices made by Zoom partners are definitely magic” said one Forescout Researcher. Many operating systems, many MAC addresses, infinity features and IP-enabled components from an array of manufacturers. The world is changing on us, one thing at a time.
 
Introducing Forescout SPT VR Zoom: Practicable, Policy-Led Orchestration
That backstory is how Forescout Research selected this month’s Security Policy Template (SPT) in order to demonstrate practicable orchestration on the Forescout platform. This time, we aimed to demonstrate an elegant, policy-led orchestration as a simple SPT in response to the Zoom issue. Overall, orchestration-leading security policy templates can be adapted to find the gaps between vulnerable and patched devices across the data center, cloud and campus.

Research Discussion
Later, after having participated and delivered their assorted responses, Forescout Researchers heralded the arrival of their Zoom T-shirt, which they would later share in their Research Labs next to the Forescout Family OT/ICS trophy case. Overall, they were impressed by the Zoom CEO’s incident response and resulting positive narrative.
 
Forescout Product Content Updates
The security policy for SPT VR Zoom is a nice takeaway for Forescout customers. Also, due to the complicated Zoom Supply Chain, we released SPT VR RingCentral Meetings, which addresses the same issue in a white-label version of the same technology:

  • Forescout Customers: Download the module and related documentation from the Customer Support Portal.
    • Orchestration Based on Hardware Asset Inventory
      Special thanks to Tom Mizrahi, an internal power-user who volunteered SPT VR MDS as an extra Security Policy Template to demonstrate orchestration based on hardware security issues. His research addressed computer hardware asset inventory and Microarchitectural Data Sampling (MDS) exploits, which includes Zombieland, RIDL and Fallout side-channel attacks on Intel CPUs. Policies created with this policy template detect managed Windows, Linux/Unix, and macOS™/OS X® endpoints that are vulnerable to MDS exploits.