The Google Project Zero Security Researcher Ivan Fratric noted in a report that an attacker can exploit a victim’s machine over a zoom chat. The bug, tracked as CVE-2022-22787, has a CVSS severity rating of 5.9.
Zoom patched the medium-severity issue, advising Windows, macOS, iOS & Android users to update their client software to version 5.10.0.
XMPP Protocol
“User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Ivan explained.
So named zero-click attacks do not need users to take any action & are especially capable given even the most tech-savvy of users can fall to them.
Stanzas
XMPP stands for ‘Extensible Messaging Presence Protocol’ & is used to send XML elements called ‘stanzas’ over a stream connection to exchange messages & presence information in real-time. This messaging protocol is used by Zoom for its chat functionality.
In a security bulletin published by Zoom, the CVE-2022-22786 (CVSS score 7.5) affects the Windows users, while the other CVE-2022-22784, CVE-2022-22785, & CVE-2022-22787 impacted Zoom client versions before 5.10.0 running on Android, iOS, Linux, macOS, & Windows systems.
Working of Bug
The initial vulnerability described by Ivan as “XMPP stanza smuggling” abuses the inconsistencies between XML parser in Zoom client & server software to “smuggle” arbitrary XMPP stanzas to the victim machine.
An attacker sending a specially created control stanza can force the victim client to connect with a malicious server leading to a various attacks from spoofing messages to sending control messages.
Ivan noted that “the most impactful vector” in XMPP stanza smuggling vulnerability is an exploit of “Cluster Switch task in the Zoom client, with an attacker-controlled “web domain” as a parameter.”
