Zoom Patches ‘Zero-Click’ RCE Bug

1 month ago

The Google Project Zero researcher recovered a bug successful XML parsing connected the Zoom lawsuit and server.

Zoom patched a medium-severity flaw, advising Windows, macOS, iOS and Android users to update their lawsuit bundle to mentation 5.10.0.

The Google Project Zero information researcher Ivan Fratric noted successful a study that an attacker tin exploit a victim’s instrumentality implicit a zoom chat. The bug, tracked arsenic CVE-2022-22787, has a CVSS severity standing of 5.9.

“User enactment is not required for a palmy attack. The lone quality an attacker needs is to beryllium capable to nonstop messages to the unfortunate implicit Zoom chat implicit XMPP protocol,” Ivan explained.

So called zero-click attacks bash not necessitate users instrumentality immoderate enactment and are particularly potent fixed adjacent the astir tech-savvy of users tin autumn prey to them.

Infosec Insiders Newsletter

XMPP stands for Extensible Messaging Presence Protocol and is utilized to nonstop XML elements called stanzas implicit a watercourse transportation to speech messages and beingness accusation successful real-time. This messaging protocol is utilized by Zoom for its chat functionality.

In a security bulletin published by Zoom, the CVE-2022-22786 (CVSS people 7.5) affects the Windows users, portion the different CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impacted Zoom lawsuit versions earlier 5.10.0 moving connected Android, iOS, Linux, macOS, and Windows systems.

Working of Bug  

The archetypal vulnerability described by Ivan as  “XMPP stanza smuggling” abuses the parsing inconsistencies betwixt XML parser successful Zoom lawsuit and server bundle to “smuggle” arbitrary XMPP stanzas to the unfortunate machine.

An attacker sending a specially crafted power stanza tin unit the unfortunate lawsuit to link with a malicious server frankincense starring to a assortment of attacks from spoofing messages to sending power messages.

Ivan noted that “the astir impactful vector” successful XMPP stanza smuggling vulnerability is an exploit of “ClusterSwitch task successful the Zoom client, with an attacker-controlled “web domain” arsenic a parameter”.