Video conferencing solutions provider Zoom has patched several holes in its video-conferencing software that a bad actor could exploit to push malicious code through chat messages on the victim’s device.
To safeguard against this arbitrary remote-code-execution vulnerability, Zoom users should download version 5.10.0 to patch several flaws found by Google Project Zero security researcher Ivan Fratric.
“User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Fratric said in a bug tracking report.
The bug — CVE-2022-22787 — has got a CVSS severity score of 5.9 out of 10, meaning it is a medium-severity vulnerability. It infects Zoom Client for meetings running on macOS, iOS, Android and windows systems before version 5.10.0.
The outcome is that a malicious code such as malware and spyware could be installed in the vulnerable Zoom client app by someone who can send chat messages.
To get around these mitigations, Fratric performed a downgrade attack by serving an old version Zoom client from mid-2019.
“The installer for this version is still properly signed, however, it does not do any security checks on the .cab file,” said Fratric.
“To demonstrate the impact of the attack, I replaced Zoom.exe in the .cab with a binary that just opens Windows Calculator app and observed Calculator being opened after the ‘update’ was installed,” Fratric added.
Zoom mentioned in a security bulletin that the Zoom Client for Meetings…before version 5.10.0 fails to properly validate the hostname during a server switch request.
Google’s Fratric identified the holes and reported it to Zoom back in February. Fratic stated in a report that no user communication is required to carry on an attack, which he described as “XMPP stanza smuggling”.
“The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” points out Fratric.
XMPP is a messaging protocol based on XML. In XMPP, short snippets of XML (called stanzas) are sent over a stream connection. Client messages are sent over the same stream connection as control messages from the server.