CVE-2020-11500

Name of the Vulnerable Software and Affected Versions Zoom Client for Meetings versions 4.6.9 and earlier Microsoft Office 365 (affected versions not specified)

Description The issue concerns the use of the ECB mode of AES for encryption, which can reveal structural information about encrypted messages. In the case of Zoom Client for Meetings, all participants in a meeting use a single 128-bit key for video and audio encryption. Similarly, Microsoft Office 365's message encryption uses the ECB mode, allowing attackers to potentially determine the content of encrypted messages by analyzing patterns. This problem was previously identified in 2013 and again in 2020. It is reported that Microsoft has been aware of the issue since January 2022 but has not yet released a fix, although they are working on adding an alternative encryption protocol to future product versions.

Recommendations For Zoom Client for Meetings versions 4.6.9 and earlier: Update to a version that uses a secure mode of operation for AES encryption. For Microsoft Office 365: As a temporary workaround, consider using alternative encryption methods or services until a patch is available. Restrict access to sensitive information sent through Office 365 to minimize the risk of exploitation. At the moment, there is no information about a newer version of Microsoft Office 365 that contains a fix for this vulnerability.