Project Zero found two vulnerabilities in Zoom, which have since been patched. Clients of users were found to be susceptible to buffer overflows. Data from central Zoom servers was successfully leaked from outside the network.
The vulnerabilities were found by Natalie Silvanovich, a security researcher at Project Zero. Zoom was notified of the problem. The vulnerabilities (CVE-2021-34423 and CVE-2021-34424) have since been patched. Resultingly, Silvanovich went public with the story.
First of all, the researcher found a way to crash the client of conferences participants with a single chat message. Secondly, it proved possible to leak data from central Zoom servers (on-premises and cloud MMRs) onto a client outside the network.
Silvanovich did not demonstrate how the vulnerabilities could be used for network and endpoint breaches. The researcher suspects that, with enough time and resources, an attacker could have found a way. Zoom is convinced as well. The organization patched the vulnerabilities as quickly as possible.
During the investigation, Silvanovich stumbled upon a lack of Address Space Layout Randomization (ASLR). The technology provides an extremely effective shield against attacks on application memory (memory corruption), including buffer overflows. ASLR had never been integrated by Zoom. The technology was added on Silvanovich’s recommendation.
Room for improvement
An independent researcher would have been obstructed in investigating the software. Project Zero sponsored Silvanovich with over $1,500 (1300 euros) to afford Zoom’s software licenses for testing purposes. Zoom does not use open-source modules. The software is tightly sealed, keeping critical eyes out the door. The organization should be doing more to facilitate security research, says Silvanovich.