The Indian Computer Emergency Response Team (CERT-In) has issued a detailed security advisory about multiple vulnerabilities found in the popular video conferencing application, Zoom.
These Zoom vulnerabilities identified across various versions of Zoom’s software, targets users by potentially allowing attackers to gain unauthorized access to sensitive information, escalate privileges, or disrupt service.
The vulnerabilities are present in several Zoom products, including the Zoom Workplace App, Zoom Rooms Client, and Zoom Video SDK, across multiple operating systems such as macOS, iOS, Windows, Linux, and Android.
Zoom Vulnerabilities Targeting Unsuspecting Users
The vulnerabilities impact a wide range of Zoom applications, primarily those before version 6.2.0. Affected products include:
- Zoom Workplace App for macOS, iOS, Windows, Linux, and Android before version 6.2.0.
- Zoom Rooms Client for Windows, iPad, and macOS before version 6.2.0.
- Zoom Rooms Controller for multiple platforms (Windows, macOS, Linux, Android) before version 6.2.0.
- Zoom Video SDK and Zoom Meeting SDK for macOS, iOS, Windows, Linux, and Android before version 6.2.0.
- Zoom Workplace VDI Client for Windows before version 6.1.12 (except version 6.0.14).
The vulnerabilities found in these products stem from various issues such as improper input validation, buffer overflows, symlink following, and uncontrolled resource consumption. These weaknesses could lead to malicious consequences, ranging from unauthorized access to a system, privilege escalation, and even denial of service (DoS) conditions.
Details of the Vulnerabilities in Zoom
1. Improper Input Validation (CVE-2024-45422)
One of the most critical vulnerabilities, reported under CVE-2024-45422, involves improper input validation in Zoom Apps. Before version 6.2.0, this flaw could allow an unauthenticated user to launch a denial of service (DoS) attack via network access. The issue affects the Zoom Workplace App on multiple platforms, including macOS, iOS, Windows, Linux, and Android.
The CVSS severity of this vulnerability is classified as medium, with a CVSS score of 6.5. Users are strongly encouraged to apply updates promptly in order to prevent potential disruptions that could arise from this issue.
2. Buffer Overflow Vulnerability (CVE-2024-45421)
Another critical vulnerability, identified as CVE-2024-45421, relates to a buffer overflow in some Zoom Apps. This flaw can be exploited by an authenticated user to escalate privileges via network access. It affects versions of the Zoom Workplace App, Zoom Rooms Client, and Zoom Video SDK across multiple platforms.
The CVSS severity of this vulnerability is classified as high, with a CVSS score of 8.5. Given its high-risk nature, this vulnerability could enable attackers to gain elevated privileges, potentially granting them full control over the affected system.
3. Uncontrolled Resource Consumption (CVE-2024-45420)
CVE-2024-45420 describes a vulnerability in Zoom Apps that leads to uncontrolled resource consumption. This flaw allows an authenticated user to execute a denial of service (DoS) attack via network access, which could result in system slowdown or complete disruption of the service.
The CVSS severity of this vulnerability is classified as medium, with a CVSS score of 4.3. Affected versions include the Zoom Workplace App and Zoom Rooms Client, among others. This vulnerability impacts systems across multiple platforms, including Windows, macOS, and iOS.
4. Symlink Following (CVE-2024-45418)
A lesser-severity vulnerability, CVE-2024-45418, exists due to symlink following in the installer of some Zoom apps for macOS. This flaw could enable an authenticated user to escalate privileges, potentially leading to unauthorized access or modification of system files.
The CVSS severity of this flaw is classified as medium, with a CVSS score of 5.4. It affects the Zoom Workplace App for macOS, as well as other Zoom products on macOS, versions prior to 6.1.5.
5. Improper Input Validation and Information Disclosure (CVE-2024-45419)
This vulnerability, identified as CVE-2024-45419, allows for improper input validation, which may result in the disclosure of sensitive information. An unauthenticated user could exploit this flaw to access sensitive data via network access, posing a significant security threat.
This vulnerability is classified as high, with a CVSS score of 8.1. It is present in several Zoom apps and impacts multiple operating systems, including Windows, macOS, iOS, Android, and Linux.
6. Uncontrolled Resource Consumption in macOS Installers (CVE-2024-45417)
The final vulnerability in the list, CVE-2024-45417, pertains to uncontrolled resource consumption in the installer for some Zoom apps for macOS. This flaw can lead to information disclosure through local access, especially in cases where a privileged user executes malicious code.
This vulnerability, with a CVSS severity of medium and a score of 6.0, affects several Zoom products for macOS, including the Zoom Workplace App, Zoom Meeting SDK, and Zoom Video SDK.
Conclusion
Timely updates are important due to the high severity of vulnerabilities in Zoom products. CERT-In has urged all users to apply the latest patches to protect against potential threats. These vulnerabilities pose substantial risks, including unauthorized access to sensitive data and service disruptions that can impact both individuals and organizations.
Zoom has acknowledged the issues and released updates to address them, available on their website. This highlights the importance of regular software updates in maintaining cybersecurity. CERT-In’s efforts to identify these vulnerabilities demonstrate its commitment to securing digital infrastructures, and by following best practices, users can reduce the risk of exploitation and protect their information.
