Threat Update

Recently, security researchers have reported an in-depth analysis of two zero-day vulnerabilities in the video calling service Zoom’s clients and Multimedia Router (MMR) servers. These vulnerabilities could allow attackers to execute arbitrary code, crash your service and application, or get insights into arbitrary areas of your product’s memory. Zoom has addressed these vulnerabilities in a security update on November 24, 2021, and FinGarde recommends updating your Zoom app to the latest version to mitigate your cyber risk.

Technical Detail & Additional Information

WHAT IS THE THREAT?

In an exploration of zero-click attack surfaces, Google Project Zero uncovered two flaws (and associated CVEs, which are listed below). These zero-click attacks allow attackers to control a target’s device without requiring any user-initiated actions (such as opening a link or malicious executable) and are notoriously difficult to detect due to their ability to avoid leaving traces of malicious activity.

• CVE-2021-34423 (CVSS score: 9.8) – A buffer overflow vulnerability that malicious actors can use to crash the service or application or execute arbitrary code.
• CVE-2021-34424 (CVSS score: 7.5) – A process memory exposure flaw that threat actors could have used to potentially gain insight into arbitrary areas of the product’s memory.

WHY IS IT NOTEWORTHY?

These zero-click vulnerabilities represent a significant risk to any company that has not patched their Zoom software to protect themselves from potential attacks. In its report, Google Project Zero raised several concerns about the vulnerabilities in Zoom’s MMR server because attackers that successfully leverage these exploits would be able to monitor the Zoom meetings of organizations that don’t use end-to-end encryption to secure their meetings. Thankfully, Zoom has enabled processes (such as ASLR) to mitigate cyber risk, but they must also continue to improve their MMR code to avoid future attacker bypasses, and all users should deploy end-to-end encryption to prevent any exfiltration of critical information shared over video calls.

WHAT IS THE EXPOSURE OR RISK?

According to Zoom reports, over half a million businesses globally use Zoom for “critical communications,” and any company that has not patched their Zoom client or MMR server risks exposure of their vulnerable data. Moreover, Project Zero noted that because Zoom allows customers to set up their own servers, users that don’t provide their servers with regular update or protection through encryption or other security could risk facing arbitrary code execution and exfiltration of critical information shared over video calls.

WHAT ARE THE RECOMMENDATIONS?

Because Zoom has already released updates to address these issues, Barracuda MSP recommends that you update your Zoom app and MMR servers immediately to mitigate your cyber risk.

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

• https://nvd.nist.gov/vuln/detail/CVE-2021-34423
• https://nvd.nist.gov/vuln/detail/CVE-2021-34424
• https://googleprojectzero.blogspot.com/2022/01/zooming-in-on-zero-click-exploits.html
• https://explore.zoom.us/en/trust/security/security-bulletin/
• https://blog.zoom.us/how-the-world-connects/
• https://thehackernews.com/2022/01/google-details-two-zero-day-bugs.html

If you have any questions, please contact us.