Zoom stomps critical privilege escalation bug plus 6 other flaws
All desktop and mobile apps vulnerable to at least one of the vulnerabilities
Video conferencing giant Zoom today opened up about a fresh batch of security vulnerabilities affecting its products, including a critical privilege escalation flaw.
Tracked as CVE-2024-24691 with a CVSS score of 9.6, Zoom says the vulnerability may enable privilege escalation for unauthenticated users via network access.
Limited technical details were disclosed, but an examination of the exploitability metrics that influenced the severity score shows that Zoom believes an exploit would require little complexity to execute, although some user interaction may be required.
It's also deemed to have a potentially high impact on affected products, which include the Windows versions of the Zoom desktop client, VDI client, Rooms client, and Zoom Meeting SDK.
-
Zoom Desktop Client for Windows before version 5.16.5
-
Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
-
Zoom Rooms Client for Windows before version 5.17.0
-
Zoom Meeting SDK for Windows before version 5.16.5
The vulnerability was reported by researchers in Zoom's Offensive Security division, and the company hasn't said whether any in-the-wild exploitation was detected.
In any case, the severity of the vulnerability should be a cause for concern and prompt users into patching to the latest version.
- Crims found and exploited these two Microsoft bugs before Redmond fixed 'em
- Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC
- QNAP vulnerability disclosure ends up an utter shambles
- Meta says risk of account theft after phone number recycling isn't its problem to solve
Also included in the round of updates were improper input validation vulnerabilities, as well as assorted others, although these were mostly all medium-severity issues, bar one.
The other now-patched vulnerabilities were:
-
CVE-2024-24690: A medium severity (5.4) flaw affecting various Zoom clients that could potentially lead to denial of service (DoS) attacks
-
CVE-2024-24695: Another medium severity (6.8) vulnerability that could lead to information disclosure, but an attacker would need to be authenticated
-
CVE-2024-24696: Similar to the above improper input validation issue. Same severity, affecting the same clients, with the same outcome. This one concerns the in-meeting chat functionality, though
-
CVE-2024-24697: The only high severity (7.2) vulnerability here. Affecting some 32-bit Windows clients, this untrusted search path flaw could enable local privilege escalation for authenticated attackers
-
CVE-2024-24698: A medium severity (4.9) issue affecting Zoom desktop apps (Windows, Mac, and Linux), mobile apps (Android and iOS), VDI client, Rooms client, and Meeting SDKs. It's classed as an improper authentication vulnerability that could lead to disclosure of information
-
CVE-2024-24699: Also affecting all desktop and mobile apps, plus the Meeting SDKs and VDI and Rooms clients, this medium severity (6.5) flaw could lead to information disclosure over the network
It's worth checking out each advisory for the specific versions affected as they do differ between the various vulnerabilities. ®