An update is recommended for users of Zoom clients on various systems. Of the currently reported vulnerabilities, two are classified as highly dangerous and three others as moderately dangerous. Zoom provides appropriate security updates for Android, iOS, Linux, macOS and Windows.
The vulnerabilities reported by Zoom are 8.3 and 7.2 according to CVSS. These are not considered critical, but should be patched immediately. Zoom provides suitable patches or software updates for this.
Vulnerabilities with CVSS 8.3 and 7.2
The first vulnerability with CVSS 8.3 concerns the “Incorrect implementation of the trust limit for SMB in Zoom clients” with CVE-2023-22885. The impact, according to Zoom: If a victim saves a local recording to an SMB location and later opens it via a link from Zoom's web portal, an attacker located on an adjacent network to the victim client could exploit a malicious SMB server set up to respond to client requests. An attacker could use this to start executable files. This could allow an attacker to gain access to a user's device and data, as well as remotely run other code.
The affected products
- Zoom clients (for Android, iOS, Linux, macOS and Windows) earlier than version 5.13.5
- Zoom Rooms clients (for Android, iOS, Linux, macOS and Windows) earlier than version 5.13.5
- Zoom VDI Windows Meeting clients prior to version 5.13.10
The second highly dangerous vulnerability concerns the local escalation of privileges in Zoom for Windows Installer with CVE-2023-22883. For example, a low-privileged local user could exploit this vulnerability in an attack chain during the installation process to escalate its privileges to the SYSTEM user. An update eliminates the danger.
The affected product:
- Zoom Client for Meetings for IT Admin Windows installers earlier than version 5.13.5