Zoom, the videoconferencing platform that has become a staple for connection and communication since the onset of COVID-19, has revealed four recent security vulnerabilities.
The vulnerabilities could be exploited to compromise users over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and executing malicious code.
The four vulnerabilities, ranging from 5.9 to 8.1 in severity, were discovered by Ivan Fratric, Google Project Zero. Fratric tracked the flaws from CVE-2022-22784 through CVE-2022-22787 and subsequently reported them in February 2022.
The bugs include:
- CVE-2022-22784 (CVSS score: 8.1): Improper XML Parsing in Zoom Client for Meetings
- CVE-2022-22785 (CVSS score: 5.9): Improperly constrained session cookies in Zoom Client for Meetings
- CVE-2022-22786 (CVSS score: 7.5): Update package downgrade in Zoom Client for Meetings for Windows
- CVE-2022-22787 (CVSS score: 5.9): Insufficient hostname validation during server switch in Zoom Client for Meetings
XMPP is the standard upon which Zoom’s chat feature is built. A cyber-attacker can pose as a regular user through exploitation of the aforementioned vulnerabilities. In turn, the individual can connect to a suspicious server and download an update, resulting in arbitrary code execution stemming from a downgrade attack.
In the report, Fratric writes: “Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom's client and server in order to be able to ‘smuggle’ arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack.”
The issue at the core of these vulnerabilities is the ability of a cyber-attacker to find inconsistencies between XML parsers in the software’s client and server. When this happens, XMPP stanzas can be sent to the victim of the attack. This allows hackers to take advantage of software updates, weaponizing the process and delivering an outdated, less secure version of Zoom to prospective targets through a malicious server.
David Mahdi, chief strategy officer and CISO advisor at Sectigo, commented on these forms of social hacks and offers advice on how to avoid becoming a victim:
“As a form of social engineering, attacks like this can be incredibly hard to prevent, with attackers using incredibly savvy methods to trick users into doing 'the wrong thing', such as clicking a bad link that will download malware. Attackers are now deploying a growing variety of tactics, such as supply chain attacks and social engineering, to target organizational issues inherent with hybrid work, human error, and shadow IT.
“Multi-factor authentication (MFA), when correctly deployed, can mitigate cyber-criminal attacks from using stolen credentials to access devices or networks in the case of a phishing attack. This approach is critical to any business, or individual consumers, as a means to decrease the chances of becoming victim to identity-first cyber-attacks.”
Microsoft systems with Zoom are the most susceptible to these vulnerabilities. However, Android, iOS, macOS and Linux are all vulnerable to CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787. Zoom advises downloading the latest version of the app (5.10.0).