• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
google details two zero day bugs reported in zoom clients and

Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers

You are here: Home / General Cyber Security News / Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers
January 20, 2022

An exploration of zero-simply click attack surface area for the common video clip conferencing solution Zoom has yielded two beforehand undisclosed security vulnerabilities that could be exploited to crash the service, execute destructive code, and even leak arbitrary parts of its memory.

Natalie Silvanovich of Google Task Zero, who found and reported the two flaws past 12 months, said the issues influence both of those Zoom clients and Multimedia Router (MMR) servers, which transmit audio and movie material in between purchasers in on-premise deployments.

The weaknesses have due to the fact been addressed by Zoom as section of updates delivered on November 24, 2021.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The aim of a zero-click attack is to stealthily obtain command above the victim’s machine without having requiring any variety of conversation from the person, these types of as clicking on a backlink.

Automatic GitHub Backups

Even though the particulars of the exploit will vary depending on the mother nature of vulnerability staying exploited, a key trait of zero-simply click hacks is their capacity not to go away behind traces of malicious action, generating them quite challenging to detect.

The two flaws identified by Undertaking Zero are as follows —

  • CVE-2021-34423 (CVSS rating: 9.8) – A buffer overflow vulnerability that can be leveraged to crash the provider or software, or execute arbitrary code.
  • CVE-2021-34424 (CVSS score: 7.5) – A system memory exposure flaw that could be made use of to most likely obtain perception into arbitrary places of the product’s memory.

By analyzing the RTP (Genuine-time Transportation Protocol) targeted traffic used to supply audio and movie more than IP networks, Silvanovich discovered that it can be attainable to manipulate the contents of a buffer that supports looking at distinct information forms by sending a malformed chat information, leading to the client and the MMR server to crash.

Additionally, the deficiency of a NULL verify — which is made use of to ascertain the conclude of a string — created it feasible to leak details from the memory by becoming a member of a Zoom meeting by way of a web browser.

Prevent Data Breaches

The researcher also attributed the memory corruption flaw to the point that Zoom failed to enable ASLR, aka tackle room structure randomization, a security mechanism created to enhance the problem of accomplishing buffer overflow attacks.

“The lack of ASLR in the Zoom MMR procedure enormously improved the risk that an attacker could compromise it,” Silvanovich reported. “ASLR is arguably the most crucial mitigation in stopping exploitation of memory corruption, and most other mitigations count on it on some stage to be successful. There is no very good purpose for it to be disabled in the extensive the vast majority of software program.”

Although most online video conferencing systems use open up-resource libraries these as WebRTC or PJSIP for implementing multimedia communications, Project Zero called out Zoom’s use of proprietary formats and protocols as very well as its superior licensing service fees (approximately $1,500) as limitations to security study.

“Shut-resource program offers exclusive security troubles, and Zoom could do extra to make their system obtainable to security scientists and some others who desire to examine it,” Silvanovich mentioned. “Although the Zoom Security Staff helped me entry and configure server software package, it is not crystal clear that help is accessible to other researchers, and licensing the software package was continue to highly-priced.”

Located this short article intriguing? Comply with THN on Fb, Twitter  and LinkedIn to examine additional distinctive content material we write-up.


Some elements of this short article are sourced from:
thehackernews.com

Previous Post: «uk and australia partner on cyber security investment UK and Australia partner on cyber security investment
Next Post: SEC Filing Reveals Fortune 500 Firm Targeted in Ransomware Attack doppelpaymer gang leaks files from illinois ag after ransom negotiations»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Qilin Ransomware Adds “Call Lawyer” Feature to Pressure Victims for Larger Ransoms
  • Iran’s State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
  • 6 Steps to 24/7 In-House SOC Success
  • Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider
  • 67 Trojanized GitHub Repositories Found in Campaign Targeting Gamers and Developers
  • New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud and NFC Theft
  • BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with MacOS Backdoor Malware
  • Secure Vibe Coding: The Complete New Guide
  • Uncover LOTS Attacks Hiding in Trusted Tools — Learn How in This Free Expert Session
  • Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign

Copyright © TheCyberSecurity.News, All Rights Reserved.