Inadequate Encryption Strength in Zoom Rooms Client for macOS - CVE-2022-36925

 

Inadequate Encryption Strength in Zoom Rooms Client for macOS - CVE-2022-36925

Published: January 6, 2023


Vulnerability identifier: #VU70785
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-36925
CWE-ID: CWE-326
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Zoom Video Communications, Inc.
Affected software:
Zoom Rooms Client for macOS

Detailed vulnerability description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of an insecure key generation mechanism. The encryption key used for IPC between the Zoom Rooms daemon service and the Zoom Rooms client was generated using parameters that could be obtained by a local low-privileged application. That key can then be used to interact with the daemon service to execute privileged functions and cause a local denial of service.


How to mitigate CVE-2022-36925

Install updates from vendor's website.

Sources