Researchers have discovered a flaw in Zoom and AudioCodes products which could allow threat actors to listen in on video conferencing calls, hijack vulnerable endpoints, and even deliver more devastating malware such as infostealers or ransomware.
Security expert Moritz Abrell from SySS was the one who found flaws in AudioCodes desk phones and Zoom’s Zero Touch Provisioning (ZTP) features, which allows admins to configure VoIP devices in a centralized manner.
The provisioning process was flawed, though – so when the tool tries to grab configuration files from the ZTP service, it does so without any client-side authentication mechanism, which the attackers could abuse to drop malware from a rogue server.
Taking over devices
Furthermore, there was another improper authentication issue, this time in the cryptographic routines in AudioCodes’ VoIP desk phones, which crooks could use to decrypt sensitive information. Combine these two flaws, and you get an exploit chain that grants attackers full access to the vulnerable devices.
“When combined, these vulnerabilities can be used to remotely take over arbitrary devices. As this attack is highly scalable, it poses a significant security risk,” Abrell said.
Three years ago, at the early days of the Covid-19 pandemic, Zoom was one of the most-used applications out there, resulting in an enormous spike in popularity. As a result, hackers dug deep into the program’s code, finding flaw after flaw. At one point it had gotten so bad that the company halted all production and focused solely on boosting the security of its services.
Since then, Zoom plugged numerous holes, other communication and collaboration tools (such as Teams, for example) took some of the load off Zoom, and many firms had their employees return to the office.
Via: The Hacker News
