#VU70785 Inadequate Encryption Strength in Zoom Rooms for macOS - CVE-2022-36925

Cybersecurity Help s.r.o.

Published: 2023-01-06

Vulnerability identifier: #VU70785

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-36925

CWE-ID: CWE-326

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Zoom Rooms for macOS
Client/Desktop applications / Messaging software

Vendor: Zoom Video Communications, Inc.

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of an insecure key generation mechanism. The encryption key used for IPC between the Zoom Rooms daemon service and the Zoom Rooms client was generated using parameters that could be obtained by a local low-privileged application. That key can then be used to interact with the daemon service to execute privileged functions and cause a local denial of service.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Zoom Rooms for macOS: 5.0.0 2236.0426 - 5.11.3

External links
https://explore.zoom.us/en/trust/security/security-bulletin/#ZSB-22031

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Local denial of service in Zoom Rooms for macOS clients