Google Project Zero Detect Vulnerabilities in Zoom

Vulnerabilities in Zoom

Security experts from Google Project Zero detected two vulnerabilities in the video conferencing application Zoom that heavily expose users to attacks. These vulnerabilities have an impact on Zoom clients who use Windows, macOS, Linux, iOS and Android. 

The impact 

The first vulnerability, known as CVE-2021-34423 has a harsh effect on buffer overflow vulnerability that was given a CVSS base score of 7.3. 

The second flaw discovered by the company says that it is related to a memory corruption issue, recognised as CVE-2021-34424, that received a CVSS base score of 7.3. 

Affected Zoom products: 

  • Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4 
  • Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1 
  • Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4 
  • Zoom Client for Meetings for Chrome OS before version 5.0.1 
  • Zoom Rooms for Conference Room (for Android, AndroidBali, macOS and Windows) before version 5.8.3 
  • Controllers for Zoom Rooms (for Android, iOS and Windows) before version 5.8.3 
  • Zoom VDI before version 5.8.4 
  • Zoom Meeting SDK for Android before version 5.7.6.1922 
  • Zoom Meeting SDK for iOS before version 5.7.6.1082 
  • Zoom Meeting SDK for macOS before version 5.7.6.1340 
  • Zoom Meeting SDK for Windows before version 5.7.6.1081 
  • Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2 
  • Zoom On-Premise Meeting Connector Controller before version 4.8.12.20211115 
  • Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115 
  • Zoom On-Premise Recording Connector before version 5.1.0.65.20211116 
  • Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117 
  • Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117 
  • Zoom Hybrid Zproxy before version 1.0.1058.20211116 
  • Zoom Hybrid MMR before version 4.6.20211116.131_x86-64 

The remediation 

Remediations for vulnerabilities in Zoom have not been released yet. Therefore, the best patch would always be to update the app with the latest version. 

Source: Security Affairs

Risk Crew