Zoom recommends users upgrade their Zoom client to version 5.10.0 to fix an XMPP vulnerability chain that could enable an attacker to execute remote code and compromise another user over Zoom chat.
The issue affects XMPP is a messaging protocol based on XML used by client messages to send over the same stream connection as control messages sent from the server.
Google Project Zero security researcher Ivan Fratric discovered a series of Zoom vulnerabilities when chained together could lead to malicious updates and remote code execution. To add, a malicious user can compromise a user over Zoom chat without any user interaction from the victim.
Frantic described the issue in a bug tracker post:
“Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom’s client and server in order to be able to ‘smuggle’ arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack. Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is utilized to bypass signature check on the update installer. This attack has been demonstrated against the latest (5.9.3) client running on Windows 64-bit, however some or all parts of the chain are likely applicable to other platforms.
Google Project Zero
The list of Zoom vulnerabilities fixed in Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) version 5.10.0 include:
- CVE-2022-22787: Insufficient hostname validation during server switch in Zoom Client for Meetings (Medium severity, CVSS 5.9)
- CVE-2022-22785: Improperly constrained session cookies in Zoom Client for Meetings (Medium severity, CVSS 5.9)
- CVE-2022-22784: Improper XML Parsing in Zoom Client for Meetings (High severity, CVSS 8.1).
Moreover, Zoom also addressed a High severity (CVSS 7.5) CVE-2022-22786, which affected Windows users. This vulnerability could allow an attacker to downgrade the Zoom client on Windows users.
The issue was fixed for Zoom Client for Meetings for Windows version 5.10.0 and Zoom Rooms for Conference Room for Windows version 5.10.0.
Readers can check out the Zoom Security Bulletin for the latest details on these vulnerabilities.