Chaining Zoom bugs is possible to hack users in a chat by sending them a message

Security flaws in Zoom can be exploited to compromise another user over chat by sending specially crafted messages.

A set of four security flaws in the popular video conferencing service Zoom could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages.Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google Project Zero has been credited with discovering and reporting all the four flaws in February 2022.

The vulnerabilities, now addressed by the company, are:

• CVE-2022-22784 – Improper XML Parsing in Zoom Client for Meetings
• CVE-2022-22785 – Improperly constrained session cookies in Zoom Client for Meetings
• CVE-2022-22786 – Update package downgrade in Zoom Client for Meetings for Windows
• CVE-2022-22787 – Insufficient hostname validation during server switch in Zoom Client for Meetings

The most severe flaw addressed by Zoom is CVE-2022-22784 (CVSS score: 8.1), it is an Improper XML Parsing in Zoom Client for Meetings.

A threat actor can exploit the flaw to break out of the current XMPP message context and create a new message context to have the receiving user’s client perform a variety of actions.

“This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving user’s client perform a variety of actions. This issue could be used in a more sophisticated attack to forge XMPP messages from the server.” reads the advisory.

Chaining the above vulnerabilities, an attacker can trick a vulnerable client into connecting to a rogue server, potentially leading to arbitrary code execution due to an update package downgrade in Zoom Client for Windows that could allow the installation of a less secure version.

“The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.” reads the advisory for the CVE-2022-22786 issue.

Zoom users are recommended to install the latest version (5.10.0) that addresses the above vulnerabilities.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, video conferencing service)

[adrotate banner=”5″]

[adrotate banner=”13″]