A medium-severity vulnerability found by Google Project Zero researcher Ivan Fratric and named as “XMPP stanza smuggling” has been patched by Zoom. It has a CVSS severity rating of 5.9 and is tracked as CVE-2022-22787.
It affects the majority of operating systems, including Windows, macOS, iOS, and Android users. Zoom has urged us to update its client software to the latest 5.10.0 version.
Being a zero-click vulnerability, even without any action from a user, the vulnerability can be exploited.
Even the highly tech-aware users can fall prey to them.
All it is required for the attacker is to be able to send messages to the victim over the Zoom chat with the XMPP (Extensible Messaging Presence Protocol). XMPP is used to send XML elements between 2 connections. It is used to exchange messages and the presence information (whether they are online or not) in real-time, which is implemented in Zoom chat functionality.
Also, Zoom stated in its security bulletin, that the earlier version fails “to properly validate the hostname during a server switch request.”
The vulnerability can be utilized for numerous evil purposes - ranging from spoofing the messages to make them seem to originate from a different user to send control messages to make them seem to come from the server.
It can even allow the bad actor to exploit the ClusterSwitch.
For the POC, Fratric replaced the Zoom’s web server’s domain with another server he controlled, which in turn enabled him to see the traffic flow between the client and the Zoom web server.
He also stated that, “This, in turn, allowed me to MITM the client update process and escalate to arbitrary code execution.”
In order to mitigate the threat, just make sure you have updated your Zoom to the latest version (5.10.0).
