New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message

Zoom hacking

Popular video conferencing service Zoom has resolved[1]
as many as four security vulnerabilities, which could be exploited
to compromise another user over chat by sending specially crafted
Extensible Messaging and Presence Protocol (XMPP[2]) messages and execute
malicious code.

Tracked from CVE-2022-22784 through CVE-2022-22787, the issues
range between 5.9 and 8.1 in severity. Ivan Fratric of Google
Project Zero has been credited with discovering and reporting all
the four flaws in February 2022.

CyberSecurity

The list of bugs is as follows –

  • CVE-2022-22784 (CVSS score: 8.1) – Improper
    XML Parsing in Zoom Client for Meetings
  • CVE-2022-22785 (CVSS score: 5.9) – Improperly
    constrained session cookies in Zoom Client for Meetings
  • CVE-2022-22786 (CVSS score: 7.5) – Update
    package downgrade in Zoom Client for Meetings for Windows
  • CVE-2022-22787 (CVSS score: 5.9) –
    Insufficient hostname validation during server switch in Zoom
    Client for Meetings

With Zoom’s chat functionality built on top of the XMPP
standard, successful exploitation of the issues could enable an
attacker to force a vulnerable client to masquerade a Zoom user,
connect to a malicious server, and even download a rogue update,
resulting in arbitrary code execution stemming from a downgrade attack[3].

Fratric dubbed the zero-click attack sequence as a case of
XMPP Stanza Smuggling[4],” adding “one user might
be able to spoof messages as if coming from another user” and that
“an attacker can send control messages which will be accepted as if
coming from the server.”

At its core, the issues take advantage of parsing
inconsistencies between XML parsers in Zoom’s client and server to
“smuggle” arbitrary XMPP stanzas[5]
— a basic unit of communication in XMPP — to the victim client.

CyberSecurity

Specifically, the exploit chain can be weaponized to hijack the
software update mechanism and make the client connect to a
man-in-the-middle server that serves up an old, less secure version
of the Zoom client.

While the downgrade attack singles out the Windows version of
the app, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impact
Android, iOS, Linux, macOS, and Windows.

The patches arrive less than a month after Zoom addressed two
high-severity flaws (CVE-2022-22782 and CVE-2022-22783) that could
lead to local privilege escalation and exposure of memory content
in its on-premise Meeting services. Also fixed was another instance
of a downgrade attack (CVE-2022-22781) in Zoom’s macOS app.

Users of the application are recommended to update to the latest
version (5.10.0) to mitigate any potential threats arising out of
active exploitation of the flaws.

References

  1. ^
    resolved
    (explore.zoom.us)
  2. ^
    XMPP
    (en.wikipedia.org)
  3. ^
    downgrade attack
    (en.wikipedia.org)
  4. ^
    XMPP
    Stanza Smuggling
    (bugs.chromium.org)
  5. ^
    XMPP
    stanzas
    (xmpp.org)

Read more

Leave a Reply