Google Project Zero team has discovered two different attack surfaces for the highly popular video conference platform Zoom. According to Natalie Silvanovich, the researcher who discovered the vulnerabilities, those vulnerabilities could have been exploited for crashing the service, executing malicious scripts, and leaking data from memory.
No user interaction is needed
Tracked as CVE-2021-34423, one of the flaws has a CVSS score of 9.8, which is critical. It is a buffer overflow vulnerability that can be used for crashing the service or leveraging to execute arbitrary code. The other vulnerability, which is tracked as CVE-2021-34424 and has a CVSS score of 7.5, could be used to potentially gain insight into arbitrary areas of the product’s memory.
Those issues have created a risk of zero-click attacks, which do not require any user interaction or clicking a link to be deployed. This stealthy nature of the attacks makes them harder to detect.
In her research, Natalie Silvanovich has noticed sending a malicious chat message can manipulate the contents of a buffer that supports reading different types of data, which results in crashing the Multimedia Router server and the Zoom client application. While using Zoom on a web browser, it is also possible to pull data from memory because of missing a NULL check.
The current version of Zoom is safe since the company has fixed the issue in November 2021. You can read the full report by following the link below.
Click here to read the full report of the patched Zoom flaws