Note: You should update any bookmarks to point to https://kb.filewave.com We will be working on links from FW Central/Anywhere that still come to this Atlassian site over the next couple of releases and then phasing out this site entirely in Jan 2024.
CVE-2019-13567 and zoom.us
Description
The zoom.us application has a security flaw thanks to a hidden web server that is installed along with the application.
https://nvd.nist.gov/vuln/detail/CVE-2019-13567
Affects versions of zoom.us below: 4.4.53932.0709
CVE-2019-13450
The following patch should also mitigate: https://nvd.nist.gov/vuln/detail/CVE-2019-13450
This threat also affects RingCentral as this is powered by zoom.us
Information
Once installed, zoom.us runs its own web server service. This can be seen from running the following:
# lsof -i :19421
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ZoomOpene 548 sholden 7u IPv4 0xb47db4cc976decf3 0t0 TCP localhost:19421 (LISTEN)This process can be killed and even removed, but you may notice it re-instal. To mitigate this security flaw either:
Update to version 4.4.53932.0709 or above - removes the zoom.us web service
Patch your macOS device with MRTConfigData version 1.45 or above - removes the zoom.us web service
Directions
Upgrade zoom.us
Updates may be downloaded from: https://zoom.us/download
This page also hosts a download for managed deployment, labelled "Download for IT Admin". With the use of a pre-configured supporting file, the software may be configured during installation:
As such, it should be possible to preset the video to be off, for example.
Key: ZDisableVideo
Type: Boolean
Value: True
However, it appears that although the configuration plist file is placed in /Library/Preferences/, editing this file has no affect on the shown preference once the software is installed. As such, consider re-isnstalling the software with this supporting file.
Update MRTConfigData
Apple have re-acted to this and have provided an update to their Malware Removal Tool. Allowing this tool to update to version 1.45 or higher will remove the web service part of zoom.us if it exists.
If devices are already configured to "Install system data files and security updates" then this should instal automatically.
However, if this option is disabled, FileWave is able to push the update as a Software Update Fileset. Searching for MRTConfigData should show version 1.45 (041-84505)
Considerations
It may be prudent to monitor the use of the software and devices to ensure they are protected.
FileWave already stores Application versions by default. It is therefore possible to create an Inventory Query to show installations of zoom.us:
However, to report on the version of MRTConfigData would require a Custom Field which could be based upon:
defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString