Zoom has patched four security flaws that can infect another user through chat by sending the specially designed Extensible Messaging and Presence Protocol (XMPP) messages and running malicious malware.
The vulnerabilities are tracked as CVE-2022-22784, CVE-2022-22785, CVE-2022-22786, and CVE-2022-22787. The vulnerabilities were disclosed by Ivan Fratric of Google’s Project Zero team in February 2022.
Zoom is one of the most widely used meeting apps in the world. It provides video communication solutions with a cloud platform for video and audio conferencing, chats, and webinars across mobile, desktop, and room systems.
Zoom’s chat functionality is based on the XMPP protocol, which makes these vulnerabilities a matter of concern for the vendor as well as for the user. Successful exploitation of these vulnerabilities could allow an attacker to force a vulnerable client to impersonate a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution via a downgrade attack.
CVE-2022-22784- Improper XML Parsing in Zoom Client for Meetings
Due to this vulnerability, Zoom Client for meetings (for Android, iOS, Linux, macOS, and Windows) with versions prior to 5.10.0 fails to parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving user’s client perform various actions. This flaw can be used by an attacker to forge XMPP messages from the server.
CVE-2022-22785- Improperly constrained session cookies in Zoom Client for Meetings
Due to this vulnerability, Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) with versions prior to 5.10.0 fails to constrain client session cookies to Zoom domains. An attacker can use this flaw to send a user’s Zoom-scoped session cookies to a non-Zoom domain allowing for spoofing.
CVE-2022-22786- Update Package Downgrade in Zoom Client for Meetings for Windows
Due to this vulnerability, Zoom Client for Meetings for Windows and Zoom Rooms for Conference Room for Windows versions prior to 5.10.0, fail to check the installation version during the update process. This flaw can be used to trick a user into downgrading their Zoom client to a lesser secure version.
CVE-2022-22787- Insufficient hostname validation during server switch in Zoom Client for Meetings
Due to this vulnerability, the Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) versions prior to 5.10.0 fails to validate the hostname during a server switch request. An attacker can use this flaw to trick an unsuspecting user’s client to connect to a malicious server when attempting to use Zoom services.
- All Zoom Client for Meetings for Windows versions prior to 5.10.0
- All Zoom Rooms for Conference Room for Windows versions prior to 5.10.0
Customers are advised to upgrade to Zoom Client and Zoom Rooms version 5.10.0 or later. Users can download the latest Zoom software with all current security updates from https://zoom.us/download. For more information, please refer to the Zoom Security Advisory.
Qualys customers can scan their devices with QID 376638 and 376640 to detect vulnerable assets.
Continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.