Google researchers looked into the videoconferencing software’s now-patched flaws. According to experts, two vulnerabilities recently disclosed to Zoom might have led to remote exploitation in clients and MMR servers. Natalie Silvanovich, a Project Zero researcher, presented an analysis of the security issues on Tuesday, the outcome of a probe sparked by a zero-click attack on the videoconferencing tool displayed at Pwn2Own.
“In the past, I hadn’t given Zoom much thought because I assumed that any attack on a Zoom client would necessitate many clicks from the user,” the researcher added. “However, even if it takes numerous clicks, it’s likely not that difficult for a dedicated attacker to persuade a target to join a Zoom conversation, and the way some businesses employ Zoom creates fascinating attack possibilities.”
Silvanovich discovered two bugs: one was a buffer overflow issue that affected both Zoom clients and Zoom Multimedia Routers (MMRs), and the other was a security flaw in MMR servers that exposed information.
There was also a lack of Address Space Layout Randomization (ASLR), a security feature that protects against memory corruption attacks.
“ASLR is likely the most significant mitigation in preventing memory corruption exploitation, and most other mitigations rely on it to be effective,” Silvanovich said. “In the vast majority of software, there is no legitimate reason for it to be disabled.”
The researcher believes the issues are “particularly concerning” because MMR servers process call material, including audio and video, and that if they were compromised, any virtual conference without end-to-end encryption enabled would have been vulnerable to eavesdropping.
The researcher did not complete the entire attack chain, but believes that with enough time and “adequate investment,” a determined attacker might do so.
On November 24, 2021, the vendor was notified of the vulnerabilities, and they were patched. Since then, Zoom has enabled ASLR.
Because Zoom allowed customers to set up their own servers, it was feasible to uncover these issues; but, the “closed” structure of Zoom – which does not incorporate open source components like WebRTC or PJSIP like many other comparable products – made security vetting more difficult.
This required paying close to $1500 in licence costs for the Project Zero team, a price that others, particularly independent researchers, may not be able to afford.
“These roadblocks to security research are likely preventing Zoom from being researched as frequently as it could be, perhaps resulting in basic issues getting undetected,” Silvanovich added. “Security researchers and others who seek to use closed-source software have unique security challenges, and Zoom might do more to make their platform accessible to them.”