Two zero-click flaws have been discovered in Zoom, a video conferencing app. They could allow attackers to crash the service, execute arbitrary code, and leak sensitive information.
Google Project Zero’s Natalie Silvanovich revealed two security issues last year saying they have affected the deployment of video and audio content in on-premise environments and impacted both Zoom clients and Multimedia Router (MMR) servers.
The issues were addressed by the company as part of updates that were released on November 24, 2021.
A zero-click attack is designed to silently gain control of a device without requiring the user to interact with it. While the exact details of an exploit may vary, one key trait of a zero-click attack is its leaving no traces and thus the ability to evade detection.
The two flaws identified by Project Zero are:
CVE-2021-34423 (CVSS score: 9.8) – a buffer overflow vulnerability leading to a crash of the service or application, or execution of arbitrary code.
CVE-2021-34424 (CVSS score: 7.5) – a process memory exposure flaw that allowed reading arbitrary areas of the product’s memory.
Silvanovich discovered that it’s possible to modify the contents of a buffer by sending a malformed chat message, which could cause the server and client to crash.
Due to the lack of a NULL check, the bug could also be exploited to access the memory of a device by joining a meeting via a web browser.
The issue was caused by the vendor’s failure to implement an address space layout randomization (ASLR) security mechanism against buffer overflow attacks.
“The lack of ASLR in the Zoom MMR process greatly increased the risk that an attacker could compromise it,” Silvanovich said. “ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective. There is no good reason for it to be disabled in the vast majority of software.”
Project Zero criticized the vendor’s use of proprietary formats and protocols, which it claimed were barriers to security research.
“Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it,” Silvanovich said. “While the Zoom Security Team helped me access and configure server software, it is not clear that support is available to other researchers, and licensing the software was still expensive.”