Moderate
CVE-2022-28756
CVE-2022-28756
Description
The Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with version 5.7.3 and before 5.11.5 contains a vulnerability in the auto update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.
Add Assessment
Technical Analysis
A vulnerability in the ZoomAutoUpdater application can result in escalation of privileges to that of the root user. The issue stems from permissions held by the update package that is to be installed: The package gets written to a root-owned directory; however, the package itself is writable for anyone. Because of this, an attacker can write a malicious package in place of the valid update package. Being a TOCTOU bug, the malicious package must be written after the updater verifies that the package is signed, but before the installation process begins. That makes repeated attempts at the exploit potentially necessary. Since the update process can be hidden from the user, multiple attempts at exploitation can be afforded.
Zoom appears to cache a valid update package at ~/Library/Application Support/zoom.us/AutoUpdater/Zoom.pkg if the auto update setting is checked, so exploitation may be as simple as writing the malicious package to disk, initiating an update, and then performing a copy to write the package in the valid update package’s location.
CVSS V3 Severity and Metrics
General Information
Vendors
- zoom
Products
- meetings
References
