Application Security , Governance & Risk Management , Incident & Breach Response
Zoom Patches Multiple VulnerabilitiesFlaws Enable Attackers to Intercept Data, Attack Customer Infrastructure
Cloud video conferencing provider Zoom has released patches for multiple vulnerabilities in its product that could have allowed criminals to intercept data from meetings and attack customer infrastructure.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The now patched vulnerabilities could have enabled attackers to obtain server access with maximum privileges and navigate further on the company’s network, as well as compromise the Zoom software’s functionality - making it impossible for victims to hold conferences.
In a Thursday security bulletin, Zoom released multiple patches for its product. The most serious flaw, rated as high with a CVSS Score of 7.9, was the network proxy page on the web portal for products such as Zoom On-Premise Meeting Connector Controller, Zoom On-Premise Meeting Connector MMR, Zoom On-Premise Recording Connector, Zoom On-Premise Virtual Room Connector and Zoom On-Premise Virtual Room Connector Load Balancer.
The vulnerability, tracked as CVE-2021-34417, fails to validate input sent in requests to set the network proxy password, which could lead to a remote command injection by a web portal administrator.
The second vulnerability, tracked as CVE-2021-34422, is rated high with a CVSS score of 7.2 and affects Keybase Client for Windows that contains a path traversal vulnerability when checking the name of a file uploaded to a team folder.
"A malicious user could upload a file to a shared folder with a specially crafted file name which could allow a user to execute an application which was not intended on their host machine. If a malicious user leveraged this issue with the public folder sharing feature of the Keybase client, this could lead to remote code execution," Zoom states.
Another significant patch issued was for a Zoom Windows installation executable signature bypass flaw, which is rated as medium and has a CVSS score of 4.7.
The vulnerability, tracked as CVE-2021-34420, affects all Zoom Client for Meetings for Windows before version 5.5.4.
"The Zoom Client for Meetings for Windows installer does not verify the signature of files with .msi, .ps1, and .bat extensions, which could lead to a threat actor installing malicious software on a victim’s computer," Zoom notes.
The other patch issued by Zoom addresses a vulnerability in the Pre-auth Null pointer crash in the on-premise web console, which is tracked as CVE-2021-34418 and is rated medium with a CVSS score of 4.0.
"The login service of the web console for the products Zoom On-Premise Meeting Connector Controller, Zoom On-Premise Meeting Connector MMR, Zoom On-Premise Recording Connector, Zoom On-Premise Virtual Room Connector and Zoom On-Premise Virtual Room Connector Load Balancer, fails to validate that a NULL byte was sent while authenticating, which could lead to a crash of the login service," Zoom notes.
The vulnerability tracked as CVE-2021-34419, with a CVSS score 3.7, affects Zoom Client for Meetings for Ubuntu Linux before version 5.1.0.
"There is an HTML injection flaw when sending a remote control request to a user in the process of in-meeting screen sharing. This could allow meeting participants to be targeted for social engineering attacks," Zoom notes.
One of the lowest-rated vulnerabilities patched, tracked as CVE-2021-34421, had a CVSS score of 3.7 and affects Keybase clients for Android and iOS. The vulnerability affects Android before version 5.8.0 and iOS before version 5.8.0.
The Keybase Client for Android and iOS fails to remove exploded messages initiated by a user if the receiving user places the chat session in the background while the sending user explodes the messages, which could lead to disclosure of sensitive information that was meant to be deleted from the customer’s device.
Positive Technologies says it has identified several critical vulnerabilities - now patched - in Zoom's local solutions for conferences, negotiations and recordings—Zoom Meeting Connector Controller, Zoom Virtual Room Connector, Zoom Recording Connector and others.
The errors were identified by Egor Dimitrenko, a researcher at Positive Technologies, who says that the vulnerabilities made it possible for attackers to enter commands to execute an attack and thereby obtain server access with maximum privileges.
"The users of the software in question, distributed under the on-premise model, are generally large companies that deploy these solutions in their networks to prevent data leaks," the researchers note. "The malicious injections were possible thanks to the CVE-2021-34414 vulnerability (which has a CVSS score of 7.2). The issue has been reported in Zoom on-premise apps such as Meeting Connector Controller up to version 4.6, Meeting Connector MMR up to version 4.6, Recording Connector up to version 3.8, Virtual Room Connector up to version 4.4, and Virtual Room Connector Load Balancer prior to version 2.5."
Another vulnerability found by the researchers at Positive Technologies is tracked as CVE-2021-34415, with a CVSS 3.0 score of 7.5, which could lead to a system crash. The error was reported by another Positive Technologies researcher, Nikita Abramov, in the Zoom On-Premise Meeting Connector Controller app, and the problem was rectified in version 4.6.
Upon exploiting this vulnerability, an attacker could compromise the software’s functionality, making it impossible for the affected organization to hold Zoom conferences.
Dimitrenko says the main reason such vulnerabilities arise is a lack of sufficient verification of user data.
"You can often encounter vulnerabilities of this class in apps to which server administration tasks have been delegated. This vulnerability always leads to critical consequences and, in most instances, it results in intruders gaining full control over the corporate network infrastructure," Dimitrenko notes.