Analysis
In Mid-September CERT-In (Indian Computer Emergency Response Team) identified two high-severity vulnerabilities in the Zoom On-Premises Meeting Connector MMR application.
If the vulnerability is successfully exploited, the malicious actor could acquire unauthorized access and gain the ability to obtain the audio and video feed of a meeting they are not authorized to participate in, as well as cause unauthorized disruptions.
The vulnerability was classified as CVE-2022-28758 and CVE-2022-28759 in the Common Vulnerability and exposures vulnerability database, which has a severity of “High” and a vulnerability score of 8.2 as per CVSS v3.1(Common vulnerability scoring system).
The weakness in the software was identified as CWE-284 (Improper Access Control) based on cwe.mitre.org, Zoom advised its users to update to the latest version from https://zoom.us/download.
CVSS v3.1: 8.2 (High)
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: Low
Availability: None
Prevention
Update the Zoom On-Premises version to 4.8.20220815.130 or later.
References
Zoom Security Bulletins
NIST-National Institute of Standards and Technology
