Intruders could intercept data from meetings and attack customer infrastructure
Zoom Video Communications has patched vulnerabilities in its range of local solutions for conferences, negotiations and recordings—Zoom Meeting Connector Controller, Zoom Virtual Room Connector, Zoom Recording Connector and others. The errors identified by Positive Technologies researchers, Egor Dimitrenko and Nikita Abramov, made it possible for attackers to enter commands to execute an attack and, thus, obtain server access with maximum privileges. Zoom’s main product, a Zoom video-conferencing app, according to LearnBonds, is the most popular video conferencing application in the United States, with a market share of 42.8%.
The users of the software in question, distributed under the on-premise model, are generally large companies that deploy these solutions in their networks to prevent data leaks.
The malicious injections was possible thanks to the CVE-2021-34414 vulnerability (which obtained a CVSS 3.1 score of 7.2). The issue has been reported in the following Zoom on-premise apps:
- Meeting Connector Controller up to version 4.6.348.20201217
- Meeting Connector MMR up to version 4.6.348.20201217
- Recording Connector up to version 22.214.171.12400905
- Virtual Room Connector up to version 4.4.6620.20201110
- And Virtual Room Connector Load Balancer prior to version 2.5.5495.20210326.
A second vulnerability (CVE-2021-34415, with a CVSS 3.0 score of 7.5) could have led to a system crash. The error was found by another Positiv Technologies researcher, Nikita Abramov in the Zoom On-Premise Meeting Connector Controller app, and the problem was rectified in version 4.6.358.20210205. As a result of exploiting this vulnerability, intruders could compromise the software’s functionality, creating a situation when holding Zoom conferences would have been impossible.
A third vulnerability (CVE-2021-34416 with a CVSS 3.0 score of 5.5) also facilitated an attack through the entry of certain commands. The failing that Egor Dimitrenko discovered affects the following Zoom on-premise apps:
- Meeting Connector up to version 4.6.360.20210325
- Meeting Connector MMR up to version 4.6.360.20210325
- Recording Connector up to version 126.96.36.19910326
- Virtual Room Connector up to version 4.4.6752.20210326
- And Virtual Room Connector Load Balancer up to version 2.5.5495.20210326
«These apps process traffic from all conferences at the company, so when they’re compromised, the biggest danger is, an intruder can perform a Man-intheMiddle attack and intercept any data from conferences in real time,» Egor Dimitrenko explained. «Since apps of this kind might appear on the perimeter, this enables external intruders to execute arbitrary code on the server with root-user privileges, making it possible for them to advance further on the company’s network. To exploit the vulnerability, the attacker needs the account credentials of any user with administrative rights, such as the admin user created in the default application. However, because the application does not adhere to a strict password policy and has no protection against password guessing through the web interface, it’s not difficult for an attacker to obtain a password.»
Egor Dimitrenko believes that the main reason why such vulnerabilities arise is a lack of sufficient verification of user data. «You can often encounter vulnerabilities of this class in apps to which server administration tasks have been delegated. This vulnerability always leads to critical consequences and, in most instances, it results in intruders gaining full control over the corporate network infrastructure,» he explained.
Fixing the vulnerabilities requires an update to the apps affected. MaxPatrol VM, a new-generation vulnerability management system, will facilitate continuous monitoring of vulnerabilities within the infrastructure, both in normal mode and during emergency inspections. In the event of a successful attack, one way to detect signs of penetration is to use SIEM solutions (in particular, MaxPatrol SIEM), which help identify suspicious behavior on the server and prevent intruders from advancing within the corporate network.