The Indian Computer Emergency Response Team (CERT-In) has recently issued a comprehensive security advisory highlighting multiple vulnerabilities discovered in the widely used video conferencing application, Zoom.
The vulnerabilities identified in various versions of Zoom’s software target users with the potential to allow attackers to gain unauthorized access to sensitive information, escalate privileges, or disrupt services. These vulnerabilities span across several Zoom products, including the Zoom Workplace App, Zoom Rooms Client, and Zoom Video SDK, and affect multiple operating systems such as macOS, iOS, Windows, Linux, and Android.
One of the critical vulnerabilities reported under CVE-2024-45422 involves improper input validation in Zoom Apps, potentially enabling unauthenticated users to launch a denial-of-service attack via network access. This flaw affects the Zoom Workplace App on platforms like macOS, iOS, Windows, Linux, and Android, before version 6.2.0.
Another significant vulnerability, identified as CVE-2024-45421, pertains to a buffer overflow in certain Zoom Apps, allowing authenticated users to escalate privileges through network access. This vulnerability affects versions of the Zoom Workplace App, Zoom Rooms Client, and Zoom Video SDK across multiple platforms.
Additionally, CVE-2024-45420 describes a vulnerability leading to uncontrolled resource consumption in Zoom Apps, enabling authenticated users to execute denial-of-service attacks via network access. This flaw impacts systems across platforms like Windows, macOS, and iOS.
Moreover, CVE-2024-45418 reveals a vulnerability due to symlink following in the installers of some Zoom apps for macOS, potentially allowing authenticated users to escalate privileges. This flaw affects the Zoom Workplace App for macOS and other Zoom products on macOS before version 6.1.5.
Furthermore, CVE-2024-45419 uncovers a vulnerability related to improper input validation, leading to the disclosure of sensitive information. Unauthenticated users could exploit this flaw to access sensitive data via network access, posing a significant security threat.
Lastly, CVE-2024-45417 addresses uncontrolled resource consumption in the installer of certain Zoom apps for macOS, potentially resulting in information disclosure through local access. This vulnerability impacts several Zoom products for macOS, including the Zoom Workplace App, Zoom Meeting SDK, and Zoom Video SDK.
Given the severity of these vulnerabilities, it is crucial for users to apply timely updates to safeguard against potential threats. CERT-In has emphasized the importance of applying the latest patches to mitigate risks, such as unauthorized access to sensitive data and service disruptions that could impact individuals and organizations.
Zoom has promptly acknowledged these issues and released updates to address them, underscoring the significance of regular software updates in maintaining cybersecurity. CERT-In’s proactive efforts in identifying these vulnerabilities showcase their dedication to securing digital infrastructures, and by adhering to best practices, users can reduce the risk of exploitation and safeguard their information effectively.