Zero-Day Bugs Found in Zoom Clients and Multimedia Router Servers
Introduction
Google researchers have found vulnerabilities in the video conferencing software. This vulnerability can be exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory. The researcher (Natalie Silvanoich of google project zero) has discovered two flaws which are CVE-2021-34423 and CVE-2021-34424. The researcher has attributed the memory corruption flaw to the fact that zoom failed to enable ASLR [address space layout randomization], which is a security mechanism to protect against memory corruption attacks.
This issue impacted the zoom clients and multimedia router (MMR) servers which transmit audio and video content between clients in on-premise deployments. These are two different bugs, a buffer overflow issue which impacted both zoom clients and zoom multimedia routers (MMRs), and the other was an information leak security flaw related to MMR servers.
Source: https://explore.zoom.us/en/trust/security/security-bulletin/
Cause of the Flaw
The cause of the flaw for the bugs is described below:
- CVE-2021-34423: Buffer Overflow when Processing Chat Messages
Zoom client uses the method to deserialize incoming chat messages from msg_db_t instances during video calls. This method makes a call to stream, which reads a string into a pre-allocated buffer. However, strings do not check the length of the buffer, which is allocated based on a separate length read out of the msg_db_t instance. This means when an attacker sends a malformed chat message, they can overflow the allocated buffer, controlling the overflow contents, the length of the overflow, as well as the allocation size.
Note that there are several calls to read strings in the Zoom client. They are all vulnerable, and they must be resolved in order to resolve this problem. This issue affects Zoom’s MMR servers as well, as the Zoom Meeting Connector’s MMR seems to deserialize the send message request type in some situations relating to Webinar Chats.
Due to the absence of ASLR, this attack was possible as This is the most important for mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it at some level to be effective. ASLR is predicated on the fact that an attacker has a slim possibility of guessing the locations of randomly selected areas.
2. CVE-2021-34424: Information Leak in MMR Server
There is a function in the MMR server that retrieves a variant from an incoming message with the name “username”. It converts the variant i8 array into a std_string without checking whether it is null terminated. As a result, the returned string may include data from the server’s memory.
Recommendation:
- Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates.
- The vendor has updated the versions which are affected so the user can check the list by going through this link to avoid downloading the affected version : https://explore.zoom.us/en/trust/security/security-bulletin/