CVE-2020-11443 Overview
CVE-2020-11443 is a symlink attack vulnerability affecting the Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10. The installer deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Since standard users have write access to this directory, they can create symbolic links pointing to other directories on the system. Because the installer runs with SYSTEM privileges and follows these symbolic links, a malicious user can leverage this behavior to delete arbitrary files that would otherwise be protected from deletion.
Critical Impact
A low-privileged local user can exploit this vulnerability to delete arbitrary system files with SYSTEM privileges, potentially causing denial of service or integrity violations on the affected system.
Affected Products
- Zoom IT Installer for Windows prior to version 4.6.10
- ZoomInstallerFull.msi (Windows installer package)
- Systems running Windows with Zoom IT Installer deployed
Discovery Timeline
- 2020-05-04 - CVE-2020-11443 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-11443
Vulnerability Analysis
This vulnerability falls under CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack or link following vulnerability. The core issue lies in how the Zoom IT installer handles file cleanup operations during the update process.
When the installer executes, it performs a cleanup operation by deleting files in the %APPDATA%\Zoom directory. This directory is user-writable by design, which means any standard user can manipulate its contents. The critical flaw is that the installer, running with elevated SYSTEM privileges, does not properly validate whether the paths it's about to delete are legitimate files or symbolic links pointing elsewhere on the filesystem.
An attacker can exploit this by replacing files or directories in %APPDATA%\Zoom with junction points or symbolic links that redirect to sensitive system directories or files. When the installer attempts to delete what it believes are Zoom application files, it actually deletes the targets of these symbolic links—potentially critical system files, configuration data, or security-related components.
Root Cause
The root cause is insufficient validation of file paths before deletion operations. The Zoom installer fails to check whether the paths within %APPDATA%\Zoom are symbolic links or junction points before following them. This allows a TOCTOU (Time-of-Check-Time-of-Use) race condition where a user can set up malicious links after the installer begins but before it performs the deletion operation. The elevated privilege context (SYSTEM) amplifies the impact, as the installer can delete files that would normally be protected from standard user access.
Attack Vector
The attack vector requires local access with standard user privileges. An attacker can exploit this vulnerability by performing the following steps:
- Create symbolic links or junction points within the %APPDATA%\Zoom directory pointing to target files or directories they wish to delete
- Trigger the Zoom IT installer to run an update operation (or wait for a scheduled update)
- The installer, running as SYSTEM, follows the symbolic links and deletes the targeted files
This vulnerability is classified as requiring network-based delivery of the initial attack vector, with low attack complexity and requiring low privileges. The impact includes high integrity and availability damage, as critical system files can be deleted, potentially rendering the system unstable or compromised.
Detection Methods for CVE-2020-11443
Indicators of Compromise
- Unexpected symbolic links or junction points appearing in %APPDATA%\Zoom directories
- Missing or deleted system files following Zoom installer execution
- File system audit logs showing SYSTEM-level deletions originating from msiexec.exe or Zoom installer processes
- Abnormal junction point creation events in user-writable directories
Detection Strategies
- Monitor for symbolic link or junction point creation in %APPDATA%\Zoom using file system auditing
- Deploy endpoint detection rules to alert on msiexec.exe following symbolic links during Zoom installation processes
- Implement integrity monitoring on critical system files to detect unexpected deletions
- Use SentinelOne's behavioral AI to detect privilege escalation patterns associated with symlink attacks
Monitoring Recommendations
- Enable Windows file system auditing for junction point and symbolic link creation events in user directories
- Configure SIEM alerts for anomalous file deletion patterns involving SYSTEM privileges in user-writable paths
- Monitor Zoom installer activity and correlate with file system changes in sensitive directories
- Leverage SentinelOne's Storyline technology to trace file deletion operations back to their originating processes
How to Mitigate CVE-2020-11443
Immediate Actions Required
- Update Zoom IT Installer to version 4.6.10 or later immediately
- Audit existing Zoom installations to ensure they are running patched versions
- Review file system integrity on systems where vulnerable versions were deployed
- Temporarily restrict Zoom auto-update functionality until patches are applied
Patch Information
Zoom has addressed this vulnerability in version 4.6.10 and later of the Zoom IT Installer for Windows. Organizations should update to the latest version as soon as possible. For detailed patch information, refer to the Zoom Security Advisory for CVE-2020-11443 and the Zoom Windows Update Announcement.
Workarounds
- Restrict standard user permissions on the %APPDATA%\Zoom directory to prevent symbolic link creation
- Deploy application whitelisting to prevent unauthorized modifications to Zoom directories prior to installation
- Use Group Policy to disable the creation of symbolic links by standard users where feasible
- Consider deploying Zoom updates through a controlled enterprise deployment mechanism rather than auto-update
# Configuration example: Restrict symbolic link creation via Group Policy
# Navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
# Modify "Create symbolic links" to remove standard users from the allowed list
# This can be applied via Local Security Policy or Group Policy Object (GPO)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
