In a recent development, the widely used video conferencing platform, Zoom, has successfully addressed and patched four security vulnerabilities, presenting potential risks of compromise through the platform's chat feature. These vulnerabilities, tracked from CVE-2022-22784 to CVE-2022-22787, were discovered by Ivan Fratric of Google Project Zero in February 2022 and varied in severity from 5.9 to 8.1.
The identified vulnerabilities and their corresponding Common Vulnerability Scoring System (CVSS) scores are as follows:
- CVE-2022-22784 (CVSS score: 8.1) - Improper XML Parsing in Zoom Client for Meetings
- CVE-2022-22785 (CVSS score: 5.9) - Improperly constrained session cookies in Zoom Client for Meetings
- CVE-2022-22786 (CVSS score: 7.5) - Update package downgrade in Zoom Client for Meetings for Windows
- CVE-2022-22787 (CVSS score: 5.9) - Insufficient hostname validation during server switch in Zoom Client for Meetings
The vulnerabilities exploited parsing inconsistencies between XML parsers in Zoom's client and server, leading to what has been termed as "XMPP Stanza Smuggling." This attack vector allowed an attacker to impersonate a Zoom user, connect to a malicious server, and potentially download a rogue update, resulting in arbitrary code execution through a downgrade attack.
Ivan Fratric highlighted the severity of the vulnerabilities, describing the attack sequence as a "zero-click" scenario. In this context, he explained that "one user might be able to spoof messages as if coming from another user," and an attacker could send control messages accepted as if originating from the server.
The core of the issues lay in exploiting parsing inconsistencies between XML parsers in Zoom's client and server to "smuggle" arbitrary XMPP stanzas. These stanzas, basic units of communication in XMPP, could be manipulated to hijack the software update mechanism, forcing the client to connect to a man-in-the-middle server serving an outdated and less secure version of the Zoom client.
While the Windows version was specifically susceptible to the downgrade attack, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 affected Zoom clients across Android, iOS, Linux, macOS, and Windows.
Notably, these patches follow Zoom's recent resolution of two high-severity flaws (CVE-2022-22782 and CVE-2022-22783) that could lead to local privilege escalation and exposure of memory content in its on-premise Meeting services. Additionally, a downgrade attack (CVE-2022-22781) in Zoom's macOS app was addressed in the same timeframe.
To ensure user security, Zoom strongly recommends that all users update their application to the latest version (5.10.0), mitigating potential threats that may arise from the active exploitation of these vulnerabilities. This swift response underscores Zoom's commitment to user safety and ongoing efforts to fortify its platform against emerging security risks.
0 Comments