The popular video conferencing service, Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages.
A set of vulnerabilities has been tracked as CVE-2022-22784 through CVE-2022-22787.
These vulnerabilities have been 5.9 and 8.1in severity respectively. Security researcher Ivan Fratric of Google Project Zero has been credited with discovering and reporting all the four critical flaws
The list of bugs is as follows -
CVE-2022-22784 (CVSS score: 8.1) - Improper XML Parsing in Zoom Client for Meetings
CVE-2022-22785 (CVSS score: 5.9) - Improperly constrained session cookies in Zoom Client for Meetings
CVE-2022-22786 (CVSS score: 7.5) - Update package downgrade in Zoom Client for Meetings for Windows
CVE-2022-22787 (CVSS score: 5.9) - Insufficient hostname validation during server switch in Zoom Client for Meetings
With Zoom's chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade as a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.
Fratric dubbed the zero-click attack sequence as a case of "XMPP Stanza Smuggling," adding "one user might be able to spoof messages as if coming from another user" and that "an attacker can send control messages which will be accepted as if coming from the server."
At its core, the issues take advantage of parsing inconsistencies between XML parsers in Zoom's client and server to "smuggle" arbitrary XMPP stanzas — a basic unit of communication in XMPP — to the victim client.
Specifically, the exploit chain can be weaponized to hijack the software update mechanism and make the client connect to a man-in-the-middle server that serves up an old, less secure version of the Zoom client.
While the downgrade attack singles out the Windows version of the app, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impact Android, iOS, Linux, macOS, and Windows.
The patches arrive less than a month after Zoom addressed two high-severity flaws (CVE-2022-22782 and CVE-2022-22783) that could lead to local privilege escalation and exposure of memory contents in its on-premise Meeting services. Also fixed was another instance of a downgrade attack (CVE-2022-22781) in Zoom's macOS app.
Users of the application are recommended to update to the latest version (5.10.0) to mitigate any potential threats arising out of active exploitation of the flaws.
Zoom has an extremely good platform and they are one of the few billion-dollar companies that have managed to keep their customer base safe from hackers. Their platform is made with a lot of care, but technology can be so dynamic that even the best companies can suffer breaches due to some bugs in code.