CVE-2021-28133 Information

Description

Zoom through 5.5.4 sometimes allows attackers to read private information on a participant’s screen even though the participant never attempted to share the private part of their screen. When a user shares a specific application window via the Share Screen functionality other meeting participants can briefly see contents of other application windows that were explicitly not shared. The contents of these other windows can (for instance) be seen for a short period of time when they overlay the shared window and get into focus. (An attacker can of course use a separate screen-recorder application unsupported by Zoom to save all such contents for later replays and analysis.) Depending on the unintentionally shared data this short exposure of screen contents may be a more or less severe security issue.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Reference

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-044.txt https://www.syss.de/pentest-blog/syss-2020-044-sicherheitsproblem-in-screen-sharing-funktionalitaet-von-zoom-cve-2021-28133 https://zoom.us/trust/security/security-bulletin https://www.youtube.com/watch?v=SonmmgQlLzg https://thehackernews.com/2021/03/new-zoom-screen-sharing-bug-lets-other.html http://seclists.org/fulldisclosure/2021/Mar/48 http://packetstormsecurity.com/files/161897/Zoom-5.4.3-54779.1115-5.5.4-13142.0301-Information-Disclosure.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

4.3