Zoom conference vulnerabilities helped attack companies' infrastructure

Zoom Video Communications has patched vulnerabilities in its line of on-premises for conferences, negotiations and recordings – Zoom Meeting Connector Controller, Zoom Virtual Room Connector, Zoom Recording Connector and others.

The errors identified by Egor Dimitrenko, an expert at Positive Technologies, made it possible to execute an attack by injecting commands and gain access to the server with maximum privileges.

The users of the studied software distributed according to the on-premise model are, as a rule, large companies that deploy these solutions in their network in order to prevent information leaks.

The malicious injection was possible due to the CVE-2021-34414 vulnerability (CVSS 3.1 score 7.2) discovered by Yegor Dimitrenko. The issue has been reported in the following Zoom on-premise apps:

Meeting Connector Controller up to version 4.6.348.20201217;

Meeting Connector MMR up to version 4.6.348.20201217;

Recording Connector up to version 3.8.42.20200905;

Virtual Room Connector up to version 4.4.6620.20201110;

Virtual Room Connector Load Balancer prior to version 2.5.5495.20210326.

Another vulnerability (CVE-2021-34415 with a CVSS 3.0 score of 7.5) could crash the system. The bug was found by Nikita Abramov in the Zoom On-Premise Meeting Connector Controller application, and the problem has been fixed in version 4.6.358.20210205. As a result of the exploitation of this problem, attackers could disrupt the functionality of the software, thereby creating a situation where it would not be possible to conduct conferences using Zoom.

The third vulnerability (CVE-2021-34416 with a CVSS 3.0 score of 5.5) also allowed for a command injection attack. The deficiency identified by Yegor Dimitrenko concerns the following Zoom on-premise applications:

Meeting Connector up to version 4.6.360.20210325,
Meeting Connector MMR prior to version 4.6.360.20210325,
Recording Connector up to version 3.8.44.20210326,
Virtual Room Connector up to version 4.4.6752.20210326,
Virtual Room Connector Load Balancer prior to version 2.5.5495.20210326.

The main danger of compromising these applications and gaining shell access is that they handle traffic from all conferences in the company. Thus, an attacker can carry out an MITM attack and intercept any data from conferences in real time. Since applications of this type can be located on the perimeter, this allows external intruders to execute arbitrary code on the server with root user privileges, which makes it possible to further advance on the company’s network. To exploit the vulnerability, an attacker needs the credentials of any user with administrative rights, such as the admin user, which is created in the default application. But due to the fact that the application does not adhere to a strict password policy and it does not have protection against password guessing through the web interface, it is not difficult for an attacker to obtain a password.says Dimitrenko.

According to the expert, the main reasons for the emergence of such vulnerabilities are the lack of sufficient verification of user data.

You can often find vulnerabilities of this class in applications to which server administration tasks are delegated. The peculiarity of this vulnerability is that it always leads to critical consequences and in most cases leads to gaining full control over the infrastructure of the corporate network.the specialist notes.

Let me remind you that we also reported that Zoom bug allowed to matching a password for conference.

Sending