Zoom fixes a series of high-risk vulnerabilities

by do son ·

CVE-2023-34120

In the realm of digital communications, the past decade has been marked by a growing dependency on video conferencing solutions, with Zoom Video Communications leading the pack. Yet, the bedrock of such platforms — data security — has been called into question. Recent discoveries indicate a series of high-risk vulnerabilities in Zoom’s software, a situation which urgently needs addressing.

CVE-2023-34120

Zoom’s Windows clients, prior to version 5.14.0, have been found to harbor a rather unsettling flaw, cataloged as CVE-2023-34113. The bug derives from an insufficient verification of data authenticity, a security loophole which could be exploited by an authenticated user to escalate privileges via network access. With a Common Vulnerability Scoring System (CVSS) score of 8, this issue poses a high-risk situation, necessitating immediate action.

Simultaneously, Zoom’s MacOS and Windows clients are facing another predicament. CVE-2023-34114, with a CVSS score of 8.3, refers to the exposure of resources to an incorrect sphere. This vulnerability could grant an authenticated user an unmerited information disclosure advantage via network access. Affected versions include those preceding 5.14.10 for both Windows and MacOS clients.

CVE-2023-34122 refers to an improper input validation in the installer for Zoom’s Windows clients before version 5.14.0. An authenticated user might exploit this flaw, resulting in escalated privileges via local access, posing a high-security risk with a CVSS score of 7.3.

In the hierarchy of cyber threats, improper privilege management is often a cardinal sin. Zoom’s Windows clients, as well as Zoom Rooms for Windows and Zoom VDI for Windows clients — all preceding version 5.14.0 — are grappling with such a menace. Cataloged as CVE-2023-34120, this vulnerability, with a CVSS score of 8.7, could provide an authenticated user the capability to enable escalation of privilege through local access.

Additionally, Zoom’s VDI client installer, prior to version 5.14.0, contains an improper access control vulnerability, referred to as CVE-2023-28598. A malicious user could potentially exploit this flaw to delete local files without appropriate permissions. The vulnerability holds a CVSS score of 7.7, highlighting the urgency of the situation.

The Linux clients for Zoom, preceding version 5.13.10, are also under scrutiny for an HTML injection vulnerability, referred to as CVE-2023-28598. If a victim initiates a chat with a malevolent user, this vulnerability could result in the Zoom application crashing, thus posing a high-risk situation with a CVSS score of 7.5.

Users can combat these looming threats by promptly applying updates or by downloading the latest Zoom software containing all current security updates from their website.

Tags: CVE-2023-28598CVE-2023-34113CVE-2023-34120Zoom