2 Zero-Day Bugs Attack Zoom Clients and MMR Servers
Two zero-day bugs in the clients and Multimedia Router (MMR) servers of Zoom, a video calling service, have recently been thoroughly analyzed by security experts.
These vulnerabilities could give attackers access to arbitrary codes of your product’s memory, cause your service or application to crash, or run arbitrary code. To reduce your risk of a cyberattack, Barracuda MSP advises updating your Zoom client to the most recent version as Zoom patched these vulnerabilities on November 24, 2021.
What is the “Zero-day”?
The phrase “zero-day” refers to newly discovered security vulnerabilities that hackers can exploit to attack systems. Since the distributor or developer has just become aware of the vulnerability, they have “zero days” to correct it, hence the term “zero-day.” When hackers take advantage of the vulnerability before developers have a chance to fix it, it is known as a zero-day assault. Zero-day is also written as 0-day.
How the zero-day bugs were discovered
Zoom, a well-known video conferencing program, has two previously unknown security vulnerabilities that, if exploited, could have caused the service to crash, executed malicious code, or even leaked arbitrary portions of its memory. These bugs were discovered through an analysis of Zoom’s zero-click attack surface.
Both Zoom clients and Multimedia Router (MMR) servers, which transmit audio and video content between clients in on-premise deployments, were affected by the two bugs, according to Natalie Silvanovich of Google Project Zero, who found and reported them last year.
The vulnerabilities have since been addressed by Zoom as part of updates shipped on November 24, 2021.
A zero-click attack seeks to silently take over the target user’s device without requesting any user input, such as clicking on a link.
The two vulnerabilities identified by Project Zero are as follows —
- CVE-2021-34423 (CVSS score: 9.8) – A buffer overflow vulnerability that can be leveraged to crash the service or application, or execute arbitrary code.
- CVE-2021-34424 (CVSS score: 7.5) – A process memory exposure flaw that could be used to potentially gain insight into arbitrary areas of the product’s memory.
What is the Significance?
Silvanovich discovered that it is possible to manipulate the contents of a buffer that supports reading different data types by sending a malicious chat message, resulting in the client and the MMR server crashing, by analyzing the RTP (Real-time Transport Protocol) traffic used to deliver audio and video over IP networks.
Additionally, when entering a Zoom meeting through a web browser, it was possible to leak data from the memory due to the absence of a NULL check, which is used to determine the end of a string.
The researcher also attributed the memory corruption flaw to the fact that Zoom failed to enable ASLR, aka address space layout randomization, a security mechanism designed to increase the difficulty of performing buffer overflow attacks.
What is the Risk of Zero-Day Bugs?
“The lack of ASLR in the Zoom MMR process greatly increased the risk that an attacker could compromise it,” Silvanovich said. “ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective. There is no good reason for it to be disabled in the vast majority of software.”
While most video conferencing systems use open-source libraries such as WebRTC or PJSIP for implementing multimedia communications, Project Zero called out Zoom’s use of proprietary formats and protocols as well as its high licensing fees (nearly $1,500) as barriers to security research.
According to Zoom reports, over half a million businesses globally use Zoom for “critical communications,” and any company that has not patched their Zoom client or MMR server risks exposure of their vulnerable data. Moreover, Project Zero noted that because Zoom allows customers to set up their own servers, users that don’t provide their servers with regular update or protection through encryption or other security could risk facing arbitrary code execution and exfiltration of critical information shared over video calls.
Recommendation and Possible Solution
Zoom could do more to make their platform available to security researchers and other people who want to assess it, according to Silvanovich, who noted that closed-source software poses special security challenges. It is unclear whether support is accessible to other researchers, and licensing the software was still expensive, despite the Zoom Security Team’s assistance in gaining access to and configuring server software.
Click Here to Get Legit Cash App Money Transfer
Get $500 Cashapp | Get $750 Cashapp | Get $1k Cashapp | Get $2k Cashapp | Get $5k Cashapp | Get $4k CAshapp