Multiple vulnerabilities identified in Zoom: CERT-In

Indian Computer Emergency Response Team (CERT-In), the government authorised nodal agency tasked to deal with incidents of data breach, said it has identified multiple vulnerabilities in Zoom products, which could allow a remote authenticated user to bypass implemented security restrictions on the targeted system.

"These vulnerabilities exist due to improper access control implementation. A remote attacker could exploit these vulnerabilities to join a meeting they are authorised to join without appearing to the other participants or obtain the audio video feed of a meeting they were not authorised to join and cause other meeting disruptions," CERT-In said in a report.

Successful exploitation of these vulnerabilities could allow a remote authenticated user to bypass implemented security restrictions on the targeted system, says CERT-In, while rating the severity of the flaw as "medium."

Three vulnerabilities, dubbed CVE-2022-28758, CVE-2022-28759, and CVE-2022-28760 affect Zoom's On-Premise Meeting Connector MMR. "Zoom On-Premise Meeting Connector MMR before version 4.8.20220815.130 contains an improper access control vulnerability. As a result, a malicious actor can join a meeting which they are authorized to join without appearing to the other participants," the video conferencing platform says in its security bulletin.

CERT-In, which is part of the Ministry of Electronics and Information Technology (MeiTY), urged users to update to the latest version as mentioned in Zoom's security advisory.

This comes days after CERT-In reported multiple vulnerabilities in Google Chrome app for desktop, which could be exploited by a remote attacker to bypass security restriction, execute arbitrary code or cause denial of service condition on the targeted system.

"These vulnerabilities exist in Google Chrome for desktop due to use after free in PDF and frames, out of bounds write in storage, heap buffer overflow in internals and insufficient validation of untrusted input in DevTools. A remote attacker could exploit these vulnerabilities by persuading a victim to visit a specially crafted web site," CERT-In had pointed out.

Meanwhile, CERT-In on Monday warned of multiple vulnerabilities in Lenovo products including desktop, Lenovo Notebook, Lenovo ThinkPad, ThinkServer, ThinkStation ThinkSystem among others.

"A local authenticated attacker could exploit this vulnerability by sending specially crafted requests. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the targeted system," says the government agency.

In July, CERT-In had issued an advisory to Apple watch users, saying it contains "multiple vulnerabilities".

Last month, Akasa Air reported a "temporary technical configuration error" related to its login and sign-up service. "As a result of this configuration error, some Akasa Air registered user information limited to names, gender, email addresses and phone numbers may have been viewed by unauthorized individuals," the airline said.