The Zoom desktop and VDI purchasers and the Assembly SDK for Home windows are at risk of an incorrect enter validation flaw that would permit an unauthenticated attacker to habits privilege escalation at the goal machine over the community.
Zoom is a well-liked cloud-based video conferencing provider for company conferences, tutorial classes, social interactions/gatherings, and extra. It gives display sharing, assembly recording, customized backgrounds, in-meeting chat, and more than a few productivity-focused options.
The device’s reputation surged all over the COVID-19 pandemic when many organizations grew to become to far flung answers to take care of operations and trade continuity. By way of April 2020, it reached a height of 300 million day-to-day assembly members.
The newly disclosed flaw is tracked as CVE-2024-24691 and was once found out by way of Zoom’s offensive safety group, receiving a CVSS v3.1 rating of 9.6, score it “important.”
The vulnerability affects the next product variations:
- Zoom Desktop Consumer for Home windows sooner than model 5.16.5
- Zoom VDI Consumer for Home windows sooner than model 5.16.10 (except 5.14.14 and 5.15.12)
- Zoom Rooms Consumer for Home windows sooner than model 5.17.0
- Zoom Assembly SDK for Home windows sooner than model 5.16.5
The quick description of the flaw does now not specify the way it might be exploited or what the repercussions could be, however the CVSS vector signifies that it calls for some person interplay.
This might contain clicking a hyperlink, opening a message attachment, or acting another motion that the attacker may just leverage to milk CVE-2024-24691.
For most of the people, Zoom must mechanically activates customers to replace to the most recent model. On the other hand, you’ll manually obtain and set up the most recent liberate of the desktop shopper for Home windows, model 5.17.7, from right here.
With the exception of the incorrect enter validation flaw, the most recent Zoom liberate additionally addresses the next six vulnerabilities:
- CVE-2024-24697: A high-severity factor in Zoom 32-bit Home windows purchasers lets in privilege escalation via native get admission to by way of exploiting an untrusted seek trail.
- CVE-2024-24696: An in-meeting chat vulnerability in Zoom Home windows purchasers led to by way of incorrect enter validation permits knowledge disclosure over the community.
- CVE-2024-24695: Very similar to CVE-2024-24696, incorrect enter validation in Zoom Home windows purchasers lets in knowledge disclosure over the community.
- CVE-2024-24699: A trade common sense error in Zoom’s in-meeting chat function may end up in knowledge disclosure over the community.
- CVE-2024-24690: Vulnerability in some Zoom purchasers led to by way of incorrect enter validation can cause a denial of provider over the community.
- CVE-2024-24698: Mistaken authentication flaw in some Zoom purchasers lets in knowledge disclosure via native get admission to by way of privileged customers.
Zoom customers must practice the protection replace once conceivable to mitigate the chance of exterior actors raising their privileges to a degree that lets them scouse borrow delicate knowledge, disrupt or listen in on conferences, and set up backdoors.
