Attacker Value
Moderate
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
1

CVE-2022-28756

Disclosure Date: August 14, 2022
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Privilege Escalation
Techniques
Validation
Validated

Description

The Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with version 5.7.3 and before 5.11.5 contains a vulnerability in the auto update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.

Add Assessment

1
Ratings
Technical Analysis

A vulnerability in the ZoomAutoUpdater application can result in escalation of privileges to that of the root user. The issue stems from permissions held by the update package that is to be installed: The package gets written to a root-owned directory; however, the package itself is writable for anyone. Because of this, an attacker can write a malicious package in place of the valid update package. Being a TOCTOU bug, the malicious package must be written after the updater verifies that the package is signed, but before the installation process begins. That makes repeated attempts at the exploit potentially necessary. Since the update process can be hidden from the user, multiple attempts at exploitation can be afforded.

Zoom appears to cache a valid update package at ~/Library/Application Support/zoom.us/AutoUpdater/Zoom.pkg if the auto update setting is checked, so exploitation may be as simple as writing the malicious package to disk, initiating an update, and then performing a copy to write the package in the valid update package’s location.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • zoom

Products

  • meetings

Additional Info

Technical Analysis