Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.
Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google Project Zero has been credited with discovering and reporting all the four flaws in February 2022.
The list of bugs is as follows -
- CVE-2022-22784 (CVSS score: 8.1) - Improper XML Parsing in Zoom Client for Meetings
- CVE-2022-22785 (CVSS score: 5.9) - Improperly constrained session cookies in Zoom Client for Meetings
- CVE-2022-22786 (CVSS score: 7.5) - Update package downgrade in Zoom Client for Meetings for Windows
- CVE-2022-22787 (CVSS score: 5.9) - Insufficient hostname validation during server switch in Zoom Client for Meetings
With Zoom's chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.
Fratric dubbed the zero-click attack sequence as a case of "XMPP Stanza Smuggling," adding "one user might be able to spoof messages as if coming from another user" and that "an attacker can send control messages which will be accepted as if coming from the server."
At its core, the issues take advantage of parsing inconsistencies between XML parsers in Zoom's client and server to "smuggle" arbitrary XMPP stanzas — a basic unit of communication in XMPP — to the victim client.
Specifically, the exploit chain can be weaponized to hijack the software update mechanism and make the client connect to a man-in-the-middle server that serves up an old, less secure version of the Zoom client.
While the downgrade attack singles out the Windows version of the app, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impact Android, iOS, Linux, macOS, and Windows.
The patches arrive less than a month after Zoom addressed two high-severity flaws (CVE-2022-22782 and CVE-2022-22783) that could lead to local privilege escalation and exposure of memory contents in its on-premise Meeting services. Also fixed was another instance of a downgrade attack (CVE-2022-22781) in Zoom's macOS app.
Users of the application are recommended to update to the latest version (5.10.0) to mitigate any potential threats arising out of active exploitation of the flaws.