Security

Google experts found 2 flaws in video conferencing software Zoom

Google Project Zero researchers have discovered two vulnerabilities in the video conferencing software Zoom that expose users to attacks.

Security researchers from Google Project Zero discovered two vulnerabilities in the video conferencing software Zoom that expose users to attacks. The vulnerabilities impact Zoom Client for Meetings on Windows, macOS, Linux, iOS, and Android.

The issues in the video conferencing software Zoom were discovered by Google Project Zero researcher Natalie Silvanovich. The first flaw, tracked as CVE-2021-34423, is a high-severity buffer overflow vulnerability that received a CVSS base score of 7.3.

“A buffer overflow vulnerability was discovered in the products listed in the “Affected Products” section of this bulletin. This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.” reads the security advisory published by Zoom.

The second vulnerability addressed by the company is a memory corruption issue, tracked as CVE-2021-34424, that received a CVSS base score of 7.3.

“A vulnerability was discovered in the products listed in the “Affected Products” section of this bulletin which potentially allowed for the exposure of the state of process memory. This issue could be used to potentially gain insight into arbitrary areas of the product’s memory.” reads the advisory.

Below is the list of affected Zoom products:

  • Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4
  • Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1
  • Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4
  • Zoom Client for Meetings for Chrome OS before version 5.0.1
  • Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3
  • Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3
  • Zoom VDI before version 5.8.4
  • Zoom Meeting SDK for Android before version 5.7.6.1922
  • Zoom Meeting SDK for iOS before version 5.7.6.1082
  • Zoom Meeting SDK for macOS before version 5.7.6.1340
  • Zoom Meeting SDK for Windows before version 5.7.6.1081
  • Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2
  • Zoom On-Premise Meeting Connector Controller before version 4.8.12.20211115
  • Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115
  • Zoom On-Premise Recording Connector before version 5.1.0.65.20211116
  • Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117
  • Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117
  • Zoom Hybrid Zproxy before version 1.0.1058.20211116
  • Zoom Hybrid MMR before version 4.6.20211116.131_x86-64

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, video conferencing software Zoom)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Romanian national was sentenced to 20 years in prison for his role in NetWalker ransomware attacks

Romanian national was sentenced to 20 years in prison for his role in NetWalker ransomware…

3 hours ago

Sophos fixed critical vulnerabilities in its Firewall product

Sophos fixed three Sophos Firewall flaws that could lead to SQL injection, privileged SSH access…

17 hours ago

U.S. CISA adds BeyondTrust software flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds BeyondTrust Privileged Remote Access (PRA) and Remote…

1 day ago

Raccoon Infostealer operator sentenced to 60 months in prison

Raccoon Infostealer operator Mark Sokolovsky was sentenced to 60 months in US prison and ordered…

1 day ago

Mirai botnet targets SSR devices, Juniper Networks warns<gwmw style="display:none;"></gwmw>

Juniper Networks warns that a Mirai botnet is targeting SSR devices with default passwords after…

2 days ago

Fortinet warns about Critical flaw in Wireless LAN Manager FortiWLM<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

Fortinet warns of a patched FortiWLM vulnerability that could allow admin access and sensitive information…

2 days ago

This website uses cookies.