Zoom Video Communications has patched vulnerabilities in its line of on-premises for conferences, negotiations and recordings – Zoom Meeting Connector Controller, Zoom Virtual Room Connector, Zoom Recording Connector and others.
The errors identified by Egor Dimitrenko, an expert at Positive Technologies, made it possible to execute an attack by injecting commands and gain access to the server with maximum privileges.The users of the studied software distributed according to the on-premise model are, as a rule, large companies that deploy these solutions in their network in order to prevent information leaks.
The malicious injection was possible due to the CVE-2021-34414 vulnerability (CVSS 3.1 score 7.2) discovered by Yegor Dimitrenko. The issue has been reported in the following Zoom on-premise apps:
Another vulnerability (CVE-2021-34415 with a CVSS 3.0 score of 7.5) could crash the system. The bug was found by Nikita Abramov in the Zoom On-Premise Meeting Connector Controller application, and the problem has been fixed in version 4.6.358.20210205. As a result of the exploitation of this problem, attackers could disrupt the functionality of the software, thereby creating a situation where it would not be possible to conduct conferences using Zoom.
The third vulnerability (CVE-2021-34416 with a CVSS 3.0 score of 5.5) also allowed for a command injection attack. The deficiency identified by Yegor Dimitrenko concerns the following Zoom on-premise applications:
- Meeting Connector up to version 4.6.360.20210325,
- Meeting Connector MMR prior to version 4.6.360.20210325,
- Recording Connector up to version 3.8.44.20210326,
- Virtual Room Connector up to version 4.4.6752.20210326,
- Virtual Room Connector Load Balancer prior to version 2.5.5495.20210326.
According to the expert, the main reasons for the emergence of such vulnerabilities are the lack of sufficient verification of user data.
Let me remind you that we also reported that Zoom bug allowed to matching a password for conference.
