Zoom developers have fixed bugs that affected versions of the application for Windows, macOS, Linux, iOS and Android. The vulnerabilities were discovered by specialists from the Google Project Zero team.
Google Project Zero researcher Natalie Silvanovich writes that the vulnerabilities affect the main Zoom client for conferences and are relevant to all major platforms. The exploitation of bugs can lead to code execution attacks.
The most serious of the two is CVE-2021-34423, which affects a wide variety of components and SDKs. The bug is described as a buffer overflow and scored 7.3 on the CVSS vulnerability rating scale.
The second vulnerability, CVE-2021-34424, leads to corruption of information in memory and allows learning the state of the process memory for several products and components. According to the creators of Zoom, this bug can be used to gain insight into arbitrary regions of memory.
A complete list of affected Zoom versions includes:
- Zoom client for conferences (for Android, iOS, Linux, macOS and Windows) up to version 5.8.4;
- Zoom client for conferences for Blackberry (for Android and iOS) up to version 5.8.1;
- Zoom client for conferences for intune (for Android and iOS) up to version 5.8.4;
- Zoom client for conferences for Chrome OS up to version 5.0.1;
- Zoom Rooms for a conference room (for Android, AndroidBali, macOS and Windows) up to version 5.8.3;
- Controllers for Zoom Rooms (for Android, iOS and Windows) up to version 5.8.3;
- Zoom VDI up to version 5.8.4;
- SDK Zoom Meeting for Android up to version 5.7.6.1922;
- SDK Zoom Meeting for iOS up to version 5.7.6.1082;
- SDK Zoom Meeting for macOS up to version 5.7.6.1340;
- Zoom Meeting SDK for Windows up to version 5.7.6.1081;
- Zoom Video SDK (for Android, iOS, macOS and Windows) up to version 1.1.2;
- Zoom On-Premise Meeting Connector Controller up to version 4.8.12.20211115;
- MMR Zoom On-Premise Meeting Connector up to version 4.8.12.20211115;
- Zoom On-Premise Recording Connector up to version 5.1.0.65.20211116;
- Zoom On-Premise Virtual Room Connector up to version 4.4.7266.20211117;
- Zoom On-Premise Virtual Room Connector Load Balancer up to version 2.5.5692.20211117;
- Zoom Hybrid Zproxy up to version 1.0.1058.20211116;
- Zoom Hybrid MMR up to version 4.6.20211116.131_x86-64.
It should also be noted that this month the Zoom team finally added an automatic update mechanism to the application (in the desktop version for Windows and macOS, Linux is not yet supported), so that now users can receive patches in a timely manner.
Let me remind you that we also wrote that Researcher Demonstrates Exploitation of Zoom Vulnerabilities at DEF CON.