Patch now: Zoom chat messages can infect PCs, Macs, phones with malware
Google Project Zero blows lid off bug involving that old chestnut: XML parsing
Zoom has fixed a security flaw in its video-conferencing software that a miscreant could exploit with chat messages to potentially execute malicious code on a victim's device.
The bug, tracked as CVE-2022-22787, received a CVSS severity score of 5.9 out of 10, making it a medium-severity vulnerability. It affects Zoom Client for Meetings running on Android, iOS, Linux, macOS and Windows systems before version 5.10.0, and users should download the latest version of the software to protect against this arbitrary remote-code-execution vulnerability.
The upshot is that someone who can send you chat messages could cause your vulnerable Zoom client app to install malicious code, such as malware and spyware, from an arbitrary server. Exploiting this is a bit involved, so crooks may not jump on it, but you should still update your app.
As Zoom explained in a security bulletin, these earlier software versions fail "to properly validate the hostname during a server switch request."
Google's Project Zero bug hunter Ivan Fratric found the flaw and reported it to the video-conferencing giant back in February. As Fratric explained in a report made public today, no user interaction is required to pull off an attack, which he described as "XMPP stanza smuggling."
"The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol," Fratric noted.
XMPP is the messaging protocol that Zoom uses for its chat functionality. It works by sending short pieces of XML called stanzas over a stream connection. However, it uses the same connection to send client messages as it does to send control messages from the server.
The vulnerability abuses inconsistencies between XML parsers in Zoom's client and server software to "smuggle" malicious XMPP stanzas to the victim client, Fratric wrote.
- America, when you're done hitting us with the ban hammer, see these on-prem Zoom vulns, says Positive
- Cisco's Webex app phoned home audio telemetry even when muted
- Zoom strong-armed by US watchdog to beef up security after boasting of end-to-end encryption that didn't exist
- Fun fact: If you noticed a while ago Zoom's web client going AWOL for a week, it's because someone found a passcode-cracking hole
XMPP stanza smuggling can be used for a variety of nefarious purposes — everything from spoofing messages to make them look like they are coming from a different user to sending control messages that will be accepted as if they are coming from the server. However, Frantric noted the "most impactful vector" in the stanza smuggling vulnerability can allow an attacker to exploit the cluster switch.
Sending a very specific stanza, which he detailed, results in creating a
ClusterSwitch task in the Zoom client with an attacker-controlled web domain as a parameter.
Creating a man-in-the-middle (MITM) server to exploit this bug also revealed a bunch of data from the /clusterswitch endpoint, including a list of domains for various Zoom services.
"Since the attacker is already in the man-in-the-middle position, they can replace any of the domains with their own, acting as a reverse proxy and intercepting communications," Fratric wrote.
For this proof-of-concept, he replaced the domain used for Zoom's web server with a server he controlled, which allowed him to see and modify traffic between the client and Zoom web server. "This, in turn, allowed me to MITM the client update process and escalate to arbitrary code execution," Fratric explained.
In short: update if you haven't already. ®
- Advanced persistent threat
- App stores
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Google AI
- Google Cloud Platform
- Google Nest
- G Suite
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Privacy Sandbox
- Remote Access Trojan
- RSA Conference
- Tavis Ormandy
- Trusted Platform Module
- Zero Day Initiative
- Zero trust