Four security flaws found in Zoom can be used to compromise another user by using the chat feature. By sending specially designed Extensible Messaging and Presence Protocol (XMPP) messages and executing malicious code over the chat.
The zero-click attack sequence was named “XMPP Stanza Smuggling” could allow a user to spoof messages as if they came from another user, and attackers could send control messages that will be received as if they came from the server as well. The four security vulnerabilities found are CVE-2022-22784 (Improper XML Parsing in Zoom Client for Meetings), CVE-2022-22785 (Improperly constrained session cookies in Zoom Client for Meetings), CVE-2022-22786 (Update package downgrade in Zoom Client for Meetings for Windows) and CVE-2022-22787 (Insufficient hostname validation during server switch in Zoom Client for Meetings)
How it works
The flaws make use of parsing mismatches between Zoom”s client and server XML parsers to “smuggle” arbitrary XMPP stanzas to the victim client.
The attack chain can be used to hijack the software update procedure and force the client to connect to a man-in-the-middle server that offers up an older, less secure Zoom client.
Note: CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 are vulnerabilities that affect Android, iOS, Linux, macOS, and Windows.
It is recommended that users should immediately update to the latest version of Zoom (version 5.10.0).
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
Lakshmanan, R. (2022, 25 May). New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message. Retrieved from The Hacker News.
Security Bulletin. (2022, 17 May). Retrieved from Zoom.