===================================================================== CERT-Renater Note d'Information No. 2024/VULN461 _____________________________________________________________________ DATE : 13/11/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Zoom Apps. ===================================================================== https://www.zoom.com/en/trust/security-bulletin/zsb-24043/ https://www.zoom.com/en/trust/security-bulletin/zsb-24041/ https://www.zoom.com/en/trust/security-bulletin/zsb-24044/ https://www.zoom.com/en/trust/security-bulletin/zsb-24042/ https://www.zoom.com/en/trust/security-bulletin/zsb-24040/ https://www.zoom.com/en/trust/security-bulletin/zsb-24039/ _____________________________________________________________________ Zoom Apps - Buffer Overflow Bulletin: ZSB-24043 CVEID: CVE-2024-45421 CVSS Severity: High CVSS Score: 8,5 CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Description: Buffer overflow in some Zoom Apps may allow an authenticated user to conduct an escalation of privilege via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace App for Windows before version 6.2.0 Zoom Workplace App for macOS before version 6.2.0 Zoom Workplace App for iOS before version 6.2.0 Zoom Workplace App for Android before version 6.2.0 Zoom Workplace App for Linux before version 6.2.0 Zoom Workplace VDI Client for Windows before version 6.1.12 (except 6.0.14) Zoom Rooms Client for Windows before version 6.2.0 Zoom Rooms Client for macOS before version 6.2.0 Zoom Rooms Client for iPad before version 6.2.0 Zoom Rooms Controller for Windows before version 6.2.0 Zoom Rooms Controller for macOS before version 6.2.0 Zoom Rooms Controller for Android before version 6.2.0 Zoom Rooms Controller for Linux before version 6.2.0 Zoom Video SDK for Windows before version 6.2.0 Zoom Video SDK for macOS before version 6.2.0 Zoom Video SDK for iOS before version 6.2.0 Zoom Video SDK for Android before version 6.2.0 Zoom Video SDK for Linux before version 6.2.0 Zoom Meeting SDK for Windows before version 6.2.0 Zoom Meeting SDK for macOS before version 6.2.0 Zoom Meeting SDK for iOS before version 6.2.0 Zoom Meeting SDK for Android before version 6.2.0 Zoom Meeting SDK for Linux before version 6.2.0 Source: Reported by Zoom Offensive Security. Revision Date Description 1.0 11/12/2024 Initial publication. _____________________________________________________________________ Zoom Apps - Improper Input Validation Bulletin: ZSB-24041 CVEID: CVE-2024-45419 CVSS Severity: High CVSS Score: 8,1 CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Description: Improper input validation in some Zoom Apps may allow an unauthenticated user to conduct a disclosure of information via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace App for Windows before version 6.2.0 Zoom Workplace App for macOS before version 6.2.0 Zoom Workplace App for iOS before version 6.2.0 Zoom Workplace App for Android before version 6.2.0 Zoom Workplace App for Linux before version 6.2.0 Zoom Workplace VDI Client for Windows before version 6.1.12 (except 6.0.14) Zoom Rooms Client for Windows before version 6.2.0 Zoom Rooms Client for macOS before version 6.2.0 Zoom Rooms Client for iPad before version 6.2.0 Zoom Rooms Controller for Windows before version 6.2.0 Zoom Rooms Controller for macOS before version 6.2.0 Zoom Rooms Controller for Android before version 6.2.0 Zoom Rooms Controller for Linux before version 6.2.0 Zoom Video SDK for Windows before version 6.2.0 Zoom Video SDK for macOS before version 6.2.0 Zoom Video SDK for iOS before version 6.2.0 Zoom Video SDK for Android before version 6.2.0 Zoom Video SDK for Linux before version 6.2.0 Zoom Meeting SDK for Windows before version 6.2.0 Zoom Meeting SDK for macOS before version 6.2.0 Zoom Meeting SDK for iOS before version 6.2.0 Zoom Meeting SDK for Android before version 6.2.0 Zoom Meeting SDK for Linux before version 6.2.0 Source: Reported by Zoom Offensive Security Revision Date Description 1.0 11/12/2024 Initial publication. _____________________________________________________________________ Zoom Apps - Improper Input Validation Bulletin: ZSB-24044 CVEID: CVE-2024-45422 CVSS Severity: Medium CVSS Score: 6,5 CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Description: Improper input validation in some Zoom Apps before version 6.2.0 may allow an unauthenticated user to conduct a denial of service via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace App for macOS before version 6.2.0 Zoom Workplace App for iOS before version 6.2.0 Zoom Workplace App for Windows before version 6.2.0 Zoom Workplace App for Linux before version 6.2.0 Zoom Workplace App for Android before version 6.2.0 Zoom Rooms Client for Windows before version 6.2.0 Zoom Rooms Client for macOS before version 6.2.0 Zoom Rooms Controller for Windows before version 6.2.0 Zoom Rooms Controller for macOS before version 6.2.0 Zoom Rooms Client for iPad before version 6.2.0 Zoom Rooms Controller for Android before version 6.2.0 Zoom Rooms Controller for Linux before version 6.2.0 Zoom Video SDK for Windows before version 6.2.0 Zoom Video SDK for macOS before version 6.2.0 Zoom Video SDK for iOS before version 6.2.0 Zoom Video SDK for Android before version 6.2.0 Zoom Video SDK for Linux before version 6.2.0 Zoom Meeting SDK for Windows before version 6.2.0 Zoom Meeting SDK for macOS before version 6.2.0 Zoom Meeting SDK for iOS before version 6.2.0 Zoom Meeting SDK for Android before version 6.2.0 Zoom Meeting SDK for Linux before version 6.2.0 Source: Reported by Zoom Offensive Security. Revision Date Description 1.0 11/12/2024 Initial publication. _____________________________________________________________________ Zoom Apps - Uncontrolled Resource Consumption Bulletin: ZSB-24042 CVEID: CVE-2024-45420 CVSS Severity: Medium CVSS Score: 4,3 CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description: Uncontrolled resource consumption in some Zoom Apps before version 6.2.0 may allow an authenticated user to conduct a denial of service via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace App for Windows before version 6.2.0 Zoom Workplace App for macOS before version 6.2.0 Zoom Workplace App for iOS before version 6.2.0 Zoom Workplace App for Android before version 6.2.0 Zoom Workplace App for Linux before version 6.2.0 Zoom Rooms Client for Windows before version 6.2.0 Zoom Rooms Client for macOS before version 6.2.0 Zoom Rooms Client for iPad before version 6.2.0 Zoom Rooms Controller for Windows before version 6.2.0 Zoom Rooms Controller for macOS before version 6.2.0 Zoom Rooms Controller for Android before version 6.2.0 Zoom Rooms Controller for Linux before version 6.2.0 Zoom Video SDK for Windows before version 6.2.0 Zoom Video SDK for macOS before version 6.2.0 Zoom Video SDK for iOS before version 6.2.0 Zoom Video SDK for Android before version 6.2.0 Zoom Video SDK for Linux before version 6.2.0 Zoom Meeting SDK for Windows before version 6.2.0 Zoom Meeting SDK for macOS before version 6.2.0 Zoom Meeting SDK for iOS before version 6.2.0 Zoom Meeting SDK for Android before version 6.2.0 Zoom Meeting SDK for Linux before version 6.2.0 Source: Reported by Zoom Offensive Security Revision Date Description 1.0 11/12/2024 Initial publication. _____________________________________________________________________ Zoom Apps for macOS - Symbolic Link Following Bulletin: ZSB-24040 CVEID: CVE-2024-45418 CVSS Severity: Medium CVSS Score: 5,4 CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Description: Symlink following in the installer for some Zoom apps for macOS before version 6.1.5 may allow an authenticated user to conduct an escalation of privilege via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace App for macOS before version 6.1.5 Zoom Meeting SDK for macOS before version 6.1.5 Zoom Video SDK for macOS before version 6.1.5 Zoom Rooms App for macOS before version 6.1.5 Source: Reported by an anonymous researcher. Revision Date Description 1.0 11/12/2024 Initial publication. _____________________________________________________________________ Zoom Apps for macOS - Uncontrolled Resource Consumption Bulletin: ZSB-24039 CVEID: CVE-2024-45417 CVSS Severity: Medium CVSS Score: 6 CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Description: Uncontrolled resource consumption in the installer for some Zoom apps for macOS before version 6.1.5 may allow a privileged user to conduct a disclosure of information via local access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace App for macOS before version 6.1.5 Zoom Meeting SDK for macOS before version 6.1.5 Zoom Video SDK for macOS before version 6.1.5 Zoom Rooms App for macOS before version 6.1.5 Source: Reported by an anonymous researcher. Revision Date Description 1.0 11/12/2024 Initial publication. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================