Description
Four security flaws found in Zoom can be used to compromise another user by using the chat feature. By sending specially designed Extensible Messaging and Presence Protocol (XMPP) messages and executing malicious code over the chat.
Summary
The zero-click attack sequence was named “XMPP Stanza Smuggling” could allow a user to spoof messages as if they came from another user, and attackers could send control messages that will be received as if they came from the server as well. The four security vulnerabilities found are CVE-2022-22784 (Improper XML Parsing in Zoom Client for Meetings), CVE-2022-22785 (Improperly constrained session cookies in Zoom Client for Meetings), CVE-2022-22786 (Update package downgrade in Zoom Client for Meetings for Windows) and CVE-2022-22787 (Insufficient hostname validation during server switch in Zoom Client for Meetings)
How it works
The flaws make use of parsing mismatches between Zoom”s client and server XML parsers to “smuggle” arbitrary XMPP stanzas to the victim client.
The attack chain can be used to hijack the software update procedure and force the client to connect to a man-in-the-middle server that offers up an older, less secure Zoom client.
Note: CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 are vulnerabilities that affect Android, iOS, Linux, macOS, and Windows.
Recommendations
It is recommended that users should immediately update to the latest version of Zoom (version 5.10.0).
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
PDF Download: AL2022 Zoom Flaws Could let attackers hack victims just by sending them a_ essage.pdf
References
Lakshmanan, R. (2022, 25 May). New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message. Retrieved from The Hacker News.
https://thehackernews.com/2022/05/new-zoom-flaws-could-let-attackers-hack.html
Security Bulletin. (2022, 17 May). Retrieved from Zoom.
https://explore.zoom.us/en/trust/security/security-bulletin/