Zoom has recently patched multiple security vulnerabilities affecting a range of its on-premise apps. Exploiting the bugs could risk the privacy of Zoom Meetings and expose users’ information.
Vulnerabilities In Zoom Apps
Positive Technologies has shared a detailed advisory highlighting numerous vulnerabilities affecting Zoom apps.
Specifically, the vulnerabilities existed in the Zoom on-premise solutions for business users. These include Zoom Meeting Connector Controller, Zoom Recording Connector, Zoom Virtual Room Connector, and more.
Exploiting these vulnerabilities would allow access to the server with elevated privileges, inject malicious commands, and spy on Meetings.
The researchers have detailed three different vulnerabilities in this connection. The first of these includes CVE-2021-34414 that affected numerous Zoom on-premise apps.
Zoom described it as a medium-severity flaw (CVSS 7.2) allowing remote command injection due to a lack of input validation in requests sent for network proxy configuration update.
The second vulnerability (CVE-2021-34415) only affected Zoom On-Premise Meeting Connector Controller. This high severity flaw (CVSS 7.5) would lead to resource exhaustion and system crash.
Describing the impact of this bug, Positive Technologies stated,
As a result of exploiting this vulnerability, intruders could compromise the software’s functionality, creating a situation when holding Zoom conferences would have been impossible.
Then, the third vulnerability (CVE-2021-34416) also affected multiple Zoom apps, triggering remote command injection.
Commenting on the impact of such vulnerabilities when exploited for spying, PT’s Egor Dimitrenko said,
You can often encounter vulnerabilities of this class in apps to which server administration tasks have been delegated. This vulnerability always leads to critical consequences and, in most instances, it results in intruders gaining full control over the corporate network infrastructure.
Zoom has confirmed fixing all the vulnerabilities through its security bulletin. Alongside these three bugs, Zoom has also fixed other vulnerabilities affecting Zoom and Keybase clients.