In several packages and variants of the Zoom web conference software there are security gaps, some of which are critical. Updated software is available – which will hopefully fix the problems. The updates to close the privilege escalation vulnerability in the Mac client have so far been insufficient, so Mac users have to update the client again.
Im Zoom Client for Meetings for Android, iOS, Linux, macOS and Windows Attackers could smuggle in malicious code from the network, since the software slips up when evaluating URLs. The error can occur when users access a maliciously crafted meeting URL. The link could let users connect to any network address, opening the possibility of further attacks such as launching executable files from arbitrary directories (CVE-2022-28755, CVSS 9.6Risk “critical“). The software contains the error from version 5.11.0 no longer; also iron Zoom VDI Windows Meeting Clients ab Version 5.10.7 the vulnerability.
Attackers could escalate their privileges to SYSTEM in Zoom Rooms for Conference Rooms for Windows prior to the current version 5.11.0 (CVE-2022-28752, CVSS 8.8, hoch). The fix for the vulnerability that allowed attackers to escalate their privileges in the Auto-Updater of Zoom Client for Meetings for macOS (CVE-2022-28756) was insufficient. A variation of the attack bypassed the fix (CVE-2022-28757, CVSS 8.8, hoch). Zoom Client for Meetings for macOS Version 5.11.6 from Wednesday of this week should close the gap – this time hopefully correctly.
Another vulnerability in the on-premise version of Zoom Meeting Connector Zone Controller before version 4.8.20220419.112 may crash due to incorrect processing of STUN error messages due to memory errors, a denial of service is possible. For versions before 188.8.131.5211115 malicious actors could even inject malicious code (CVE-2022-28750, CVSS 7.5, hoch).
In addition, attackers could Zoom On-Premise Meeting Connector MMR before version 184.108.40.20620714 join meetings to which they have been invited due to insufficient access controls. However, they can bypass the waiting room, grant themselves entry, assume the host role, and otherwise disrupt the meeting (CVE-2022-28753+CVE-2022-28754, CVSS 7.1, hoch).
Some of the updated software is available on the Zoom download page. For admins of an on-premise Zoom Meeting Connector, the company provides instructions on how to update. Administrators and users should quickly ensure that the current versions are in use so that cybercriminals or malicious employees do not have an unnecessary target for attack.
To home page