Flagged by Positive Technologies, the vulnerabilities existed in several critical apps in Zoom’s portfolio of video conferencing apps and tools, including Zoom Meeting Connector Controller, Zoom Virtual Room Connector, Zoom Recording Connector, and others.
“These apps process traffic from all conferences at the company, so when they’re compromised, the biggest danger is, an intruder can perform a Man-in-the-Middle attack and intercept any data from conferences in real time,” says Egor Dimitrenko, the researcher who discovered the flaws.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
Dimitrenko adds that because the affected apps operate on the outer perimeter of the corporate network, in addition to giving attackers the ability to disrupt an organization’s ability to hold conferences, the flaws could also allow remote intruders to get inside the company’s network.
According to Dimitrenko, the three vulnerabilities, tracked as CVE-2021-34414, CVE-2021-34415, and CVE-2021-34416, could have enabled attackers to execute arbitrary code on the server with root-user privileges.
According to Positive Technologies, exploiting the flaws required an attacker to obtain the login credentials of any user with administrative rights, such as the admin user created in the default application.
However, Dimitrenko argues that isn’t much of a challenge since Zoom doesn’t adhere to a strict password policy, and doesn’t offer protection against password guessing through the web interface.
“You can often encounter vulnerabilities of this class in apps to which server administration tasks have been delegated. This vulnerability always leads to critical consequences and, in most instances, it results in intruders gaining full control over the corporate network infrastructure,” says Dimitrenko.
The good news however is that all three vulnerabilities have been patched, and users are advised to update without delay.