Pierluigi Paganini August 17, 2022

Zoom addressed two high-severity vulnerabilities in its macOS app that were disclosed at the DEF CON conference.

Zoom last week released macOS updates to fix two high-severity flaws in its macOS app that were disclosed at the DEF CON conference. Technical details of the vulnerabilities were disclosed at the DEF CON conference by security researcher Patrick Wardle during its talk “You’re M̶u̶t̶e̶d̶ Rooted.”

In his talk, the expert explored Zoom’s macOS application to uncover several critical security flaws that can be exploited by a local unprivileged attacker to achieve root access to the device.

Wardle demonstrated that an attacker could hijack the update mechanism to downgrade the software to an older version that is known to be affected by vulnerabilities.

The experts pointed out that macOS users are not prompted for their admin password when Zoom is updated, because the auto-update feature is enabled by default.

Zoom informed customers last week that macOS updates for the Zoom application patch two high-severity vulnerabilities. Details of the flaws were disclosed on Friday at the DEF CON conference in Las Vegas by macOS security researcher Patrick Wardle.

Wardle, who is the founder of the Objective-See Foundation, a non-profit that provides free and open source macOS security resources, showed at DEF CON how a local, unprivileged attacker could exploit vulnerabilities in Zoom’s update process to escalate privileges to root.

“In this talk, we’ll explore Zoom’s macOS application to uncover several critical security flaws. Flaws, that provided a local unprivileged attacker a direct and reliable path to root.” Wardle explained. The first flaw, presents itself subtly in a core cryptographic validation routine, while the second is due to a nuanced trust issue between Zoom’s client and its privileged helper component.”

Wardle demonstrated that a local attacker abusing the auto-update process and leveraging a cryptographic issue related to insecure update package signature validation can install an update package.

Zoom addressed some related vulnerabilities in the past months, but Wardle explained that he was still able to exploit them in his attack. The day after the talk, the company released Client for Meetings for macOS 5.11.5 that fix the auto-update process vulnerability (CVE-2022-28756). The company also announced Version 5.11.3 which addresses the packet signature validation issue (CVE-2022-28751).

Zoom also addressed other critical and high-severity vulnerabilities:

• CVE-2022-28753, CVE-2022-28754: Zoom On-Premise Deployments: Improper Access Control Vulnerability (HIGH)
• CVE-2022-28755: Improper URL parsing in Zoom Clients (CRITICAL)
• CVE-2022-28752: Local Privilege Escalation in the Zoom Rooms for Windows Client (HIGH)
• CVE-2022-28750: Zoom On-Premise Deployments: Stack Buffer Overflow in Meeting Connector (HIGH)

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, macOS)

[adrotate banner=”5″]

[adrotate banner=”13″]