US-sanctioned Positive Technologies has pointed out three vulnerabilities in Zoom that can be exploited to crash or hijack on-prem instances of the videoconferencing system.
One of the trio of bugs is an input validation flaw, which can be abused by a malicious Zoom portal administrator to inject and execute arbitrary commands on the machine hosting the software. We imagine a scenario in which someone in, say, HR is made an admin of the company Zoom installation, and their work PC is hijacked by a miscreant who then exploits this vulnerability to get a foothold on an internal server system, and go exploring from there.
The vulnerability, tracked as CVE-2021-34414, was patched in September.
“You can often encounter vulnerabilities of this class in apps to which server administration tasks have been delegated,” Positive Technologies researcher Egor Dimitrenko said of the vuln.
“This vulnerability always leads to critical consequences and, in most instances, it results in intruders gaining full control over the corporate network infrastructure.”
Zoom offers an on-premise option for enterprises and one of its main advantages, said the company in marketing literature, is that meeting traffic (but not user metadata) stays within the host org’s private cloud. Its three components are the On-Premise Meeting Connector, Virtual Room Connector, and Recording Connector.
Dimitrenko and his Positive Technologies comrades were able, so they said, to exploit improper input validation in the on-prem component of Zoom to obtain server-level access. Two related holes, CVE-2021-34415 and CVE-2021-34416, could be exploited to crash Zoom.
The vulns affected:
- Zoom on-premise Meeting Connector Controller before version 4.6.348.20201217
- Zoom on-premise Meeting Connector MMR before version 4.6.348.20201217
- Zoom on-premise Recording Connector before version 188.8.131.5200905
- Zoom on-premise Virtual Room Connector before version 4.4.6620.20201110
- Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326
If your org has an on-prem Zoom deployment, now is a good time to check its update status.
Zoom spokesman Matt Nagel told The Register: “Zoom takes the security of its platform very seriously, and has addressed these issues. We recommend users stay up to date with the latest version of Zoom to take advantage of our newest features and security updates.”
And about the reporting entity
Positive Technologies is a Russian infosec company that was repeatedly targeted by the US government for sanctions this year. In April the firm was accused of helping recruit people into Russian state hacking agencies, while earlier this month Positive joined Israeli spyware vendor NSO Group on the US State Department’s Entity List, a naughty step for firms banned from conducting financial transactions with American companies.
This doesn’t appear to have slowed the outfit’s enthusiasm for security research: when the sanctions were initially slapped on it, Positive described them as “groundless accusations,” making comparisons with US attitudes to Chinese tech vendor Huawei.
In October Positive did the world a genuine favor by revealing a vulnerability in ancient shareware file compression utility WinRAR, still used today by those who rely on the .rar format. ®