Two vulnerabilities recently disclosed to Zoom could have led to remote exploitation in clients and MMR servers, researchers say.
On Tuesday, Project Zero researcher Natalie Silvanovich published an analysis of the security flaws, the results of an investigation inspired by a zero-click attack against the videoconferencing tool demonstrated at Pwn2Own.
“In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user,” the researcher explained. “That said, it’s likely not that difficult for a dedicated attacker to convince a target to join a Zoom call even if it takes multiple clicks, and the way some organizations use Zoom presents interesting attack scenarios.”
Silvanovich found two different bugs, a buffer overflow issue that impacted both Zoom clients and Zoom Multimedia Routers (MMRs), and the other was an information leak security flaw central to MMR servers.
A lack of Address Space Layout Randomization (ASLR), a security mechanism to protect against memory corruption attacks, was also noted.
“ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective,” Silvanovich noted. “There is no good reason for it to be disabled in the vast majority of software.”
As MMR servers process call content including audio and video, the researcher says that the bugs are “especially concerning” – and with compromise, any virtual meeting without end-to-end encryption enabled would have been exposed to eavesdropping,
The researcher did not complete the full attack chain, but suspects that a determined attacker could do so given the time and “sufficient investment.”
The vulnerabilities were reported to the vendor and patched on November 24, 2021. Zoom has since enabled ASLR.
It was possible to find these bugs as Zoom allows clients to set up their own servers; however, the “closed” nature of Zoom – which does not include open source components (such as WebRTC or PJSIP) that many other comparable tools do – made security vetting more difficult.
For the Project Zero team, this meant forking out close to $1500 in licensing fees, an expense that others, including independent researchers, may not be able to afford.
“These barriers to security research likely mean that Zoom is not investigated as often as it could be, potentially leading to simple bugs going undiscovered,” Silvanovich said. “Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it.”
In November, Zoom implemented automatic updates for the software’s desktop clients on Windows and macOS, as well as on mobile. This feature was only previously available to enterprise users.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0