CVE-2021-34415

Vulnerability

The Zone Controller service in the Zoom On-Premise Meeting Connector Controller before version 4.6.358.20210205 does not verify the cnt field sent in incoming network packets. This missing validation allows an attacker to send specially crafted packets that trigger uncontrolled resource consumption, leading to a denial-of-service condition. The vulnerability affects all versions prior to the fixed release.

Exploitation

An attacker with network access to the Zone Controller service can send crafted network packets containing an invalid or malicious cnt field. No authentication or user interaction is required. The attacker simply needs to transmit these packets to the target service, which will process them without proper validation, causing the system to exhaust resources.

Impact

Successful exploitation results in resource exhaustion, leading to a system crash and denial of service. The confidentiality, integrity, and availability of the affected system are compromised, with availability being the primary impact. The attacker can cause the Meeting Connector Controller to become unresponsive, disrupting Zoom meetings that rely on the on-premise infrastructure.

Mitigation

The vulnerability is fixed in Zoom On-Premise Meeting Connector Controller version 4.6.358.20210205 and later. Zoom recommends updating to the latest version to obtain the fix [1]. No workarounds are documented; upgrading is the only known mitigation. The product is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.