Security News > 2022 > May > Zoom Patches ‘Zero-Click’ RCE Bug

Zoom Patches ‘Zero-Click’ RCE Bug
2022-05-25 13:02

Zoom patched a medium-severity flaw, advising Windows, macOS, iOS and Android users to update their client software to version 5.10.0.

The Google Project Zero security researcher Ivan Fratric noted in a report that an attacker can exploit a victim's machine over a zoom chat.

"User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol," Ivan explained.

This messaging protocol is used by Zoom for its chat functionality.

In a security bulletin published by Zoom, the CVE-2022-22786 affects the Windows users, while the other CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impacted Zoom client versions before 5.10.0 running on Android, iOS, Linux, macOS, and Windows systems.

The initial vulnerability described by Ivan as "XMPP stanza smuggling" abuses the parsing inconsistencies between XML parser in Zoom client and server software to "Smuggle" arbitrary XMPP stanzas to the victim machine.


News URL

https://threatpost.com/zoom-patches-zero-click-rce-bug/179727/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-05-18 CVE-2022-22787 Improper Certificate Validation vulnerability in Zoom Meetings
The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly validate the hostname during a server switch request.
network
zoom CWE-295
6.0
6.0
2022-05-18 CVE-2022-22786 Download of Code Without Integrity Check vulnerability in Zoom Meetings and Rooms
The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process.
network
zoom CWE-494
6.8
6.8
2022-05-18 CVE-2022-22785 Reliance on Cookies without Validation and Integrity Checking vulnerability in Zoom Meetings
The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains.
network
low complexity
zoom CWE-565
6.4
6.4
2022-05-18 CVE-2022-22784 XML Injection (aka Blind XPath Injection) vulnerability in Zoom Meetings
The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages.
network
low complexity
zoom CWE-91
5.5
5.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zoom 52 4 50 57 9 120