The Zoom desktop and VDI shoppers and the Assembly SDK for Home windows are weak to an improper enter validation flaw that would enable an unauthenticated attacker to conduct privilege escalation on the goal system over the community.
Zoom is a well-liked cloud-based video conferencing service for company conferences, academic classes, social interactions/gatherings, and extra. It presents display sharing, assembly recording, customized backgrounds, in-meeting chat, and numerous productivity-focused options.
The software program’s reputation surged in the course of the COVID-19 pandemic when many organizations turned to distant options to keep up operations and enterprise continuity. By April 2020, it reached a peak of 300 million each day assembly contributors.
The newly disclosed flaw is tracked as CVE-2024-24691 and was found by Zoom’s offensive security staff, receiving a CVSS v3.1 rating of 9.6, ranking it “important.”
The vulnerability impacts the next product variations:
- Zoom Desktop Shopper for Home windows earlier than model 5.16.5
- Zoom VDI Shopper for Home windows earlier than model 5.16.10 (excluding 5.14.14 and 5.15.12)
- Zoom Rooms Shopper for Home windows earlier than model 5.17.0
- Zoom Assembly SDK for Home windows earlier than model 5.16.5
The brief description of the flaw doesn’t specify the way it might be exploited or what the repercussions may be, however the CVSS vector signifies that it requires some person interplay.
This might contain clicking a hyperlink, opening a message attachment, or performing another motion that the attacker may leverage to take advantage of CVE-2024-24691.
For most individuals, Zoom ought to mechanically prompts customers to replace to the newest model. Nevertheless, you possibly can manually obtain and set up the newest launch of the desktop consumer for Home windows, model 5.17.7, from right here.
Other than the improper enter validation flaw, the newest Zoom launch additionally addresses the next six vulnerabilities:
- CVE-2024-24697: A high-severity problem in Zoom 32-bit Home windows shoppers permits privilege escalation by means of native entry by exploiting an untrusted search path.
- CVE-2024-24696: An in-meeting chat vulnerability in Zoom Home windows shoppers brought on by improper enter validation permits info disclosure over the community.
- CVE-2024-24695: Much like CVE-2024-24696, improper enter validation in Zoom Home windows shoppers permits info disclosure over the community.
- CVE-2024-24699: A enterprise logic error in Zoom’s in-meeting chat function can result in info disclosure over the community.
- CVE-2024-24690: Vulnerability in some Zoom shoppers brought on by improper enter validation can set off a denial of service over the community.
- CVE-2024-24698: Improper authentication flaw in some Zoom shoppers permits info disclosure by means of native entry by privileged customers.
Zoom customers ought to apply the security replace as quickly as attainable to mitigate the chance of exterior actors elevating their privileges to a degree that enables them to steal delicate knowledge, disrupt or snoop on conferences, and set up backdoors.
