Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers

An exploration of zero-click attack surface for the popular video conferencing solution Zoom has yielded two previously undisclosed security vulnerabilities that could have been exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory.

Natalie Silvanovich of Google Project Zero, who discovered and reported the two flaws last year, said the issues impacted both Zoom clients and Multimedia Router (MMR) servers, which transmit audio and video content between clients in on-premise deployments.

The weaknesses have since been addressed by Zoom as part of updates shipped on November 24, 2021.

The goal of a zero-click attack is to stealthily gain control over the victim’s device without requiring any kind of interaction from the user, such as clicking on a link.

While the specifics of the exploit will vary depending on the nature of vulnerability being exploited, a key trait of zero-click hacks is their ability not to leave behind traces of malicious activity, making them very difficult to detect.

The two flaws identified by Project Zero are as follows —

  • CVE-2021-34423 (CVSS score: 9.8) – A buffer overflow vulnerability that can be leveraged to crash the service or application, or execute arbitrary code.
  • CVE-2021-34424 (CVSS score: 7.5) – A process memory exposure flaw that could be used to potentially gain insight into arbitrary areas of the product’s memory.

By analyzing the RTP (Real-time Transport Protocol) traffic used to deliver audio and video over IP networks, Silvanovich found that it’s possible to manipulate the contents of a buffer that supports reading different data types by sending a malformed chat message, causing the client and the MMR server to crash.

Furthermore, the lack of a NULL check — which is used to determine the end of a string — made it possible to leak data from the memory by joining a Zoom meeting via a web browser. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *