Researchers have discovered a flaw in Zoom and AudioCodes products which could allow threat actors to listen in on video conferencing calls, hijack vulnerable endpoints, and even deliver more devastating malware such as infostealers or ransomware.
Security expert Moritz Abrell from SySS was the one who found flaws in AudioCodes desk phones and Zoom's Zero Touch Provisioning (ZTP) features, which allows admins to configure VoIP devices in a centralized manner.
The provisioning process was flawed, though - so when the tool tries to grab configuration files from the ZTP service, it does so without any client-side authentication mechanism, which the attackers could abuse to drop malware from a rogue server.
Taking over devices
Furthermore, there was another improper authentication issue, this time in the cryptographic routines in AudioCodes’ VoIP desk phones, which crooks could use to decrypt sensitive information. Combine these two flaws, and you get an exploit chain that grants attackers full access to the vulnerable devices.
"When combined, these vulnerabilities can be used to remotely take over arbitrary devices. As this attack is highly scalable, it poses a significant security risk," Abrell said.
Three years ago, at the early days of the Covid-19 pandemic, Zoom was one of the most-used applications out there, resulting in an enormous spike in popularity. As a result, hackers dug deep into the program’s code, finding flaw after flaw. At one point it had gotten so bad that the company halted all production and focused solely on boosting the security of its services.
Since then, Zoom plugged numerous holes, other communication and collaboration tools (such as Teams, for example) took some of the load off Zoom, and many firms had their employees return to the office.
- These are the best endpoint protection solutions around
Via: The Hacker News
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
AMD new Instinct MI300A is the most powerful APU ever with 24 Zen 4 cores and an ultra-powerful GPU that matches Nvidia's best — it is shipping today and could be the biggest threat yet to Nvidia H100's hegemony
Microsoft wants to help macOS users finally conquer their most annoying printing problem for good