Inadequate Encryption Strength in Zoom Rooms Client for macOS - CVE-2022-36925
Published: January 6, 2023
Vulnerability identifier: #VU70785
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-36925
CWE-ID: CWE-326
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Zoom Rooms Client for macOS
Zoom Rooms Client for macOS
Software vendor:
Zoom Video Communications, Inc.
Zoom Video Communications, Inc.
Description
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to usage of an insecure key generation mechanism. The encryption key used for IPC between the Zoom Rooms daemon service and the Zoom Rooms client was generated using parameters that could be obtained by a local low-privileged application. That key can then be used to interact with the daemon service to execute privileged functions and cause a local denial of service.
Remediation
Install updates from vendor's website.