Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN314 _____________________________________________________________________ DATE : 15/05/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Zoom Workplace Desktop App, Zoom Workplace App, Zoom Rooms Client, Zoom Meeting SDK versions prior to 6.4.0, Zoom Workplace VDI Client versions prior to 6.3.10. ===================================================================== https://www.zoom.com/en/trust/security-bulletin/zsb-25016/ https://www.zoom.com/en/trust/security-bulletin/zsb-25017/ https://www.zoom.com/en/trust/security-bulletin/ZSB-25018/ https://www.zoom.com/en/trust/security-bulletin/ZSB-25019/ https://www.zoom.com/en/trust/security-bulletin/ZSB-25021/ https://www.zoom.com/en/trust/security-bulletin/ZSB-25022/ _____________________________________________________________________ Zoom Workplace Apps - Time-of-check Time-of-use Bulletin: ZSB-25016 CVEID: CVE-2025-30663 CVSS Severity: High CVSS Score: 8,8 CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Description: Time-of-check time-of-use race condition in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via local access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace Desktop App for Windows before version 6.4.0 Zoom Workplace Desktop App for macOS before version 6.4.0 Zoom Workplace Desktop App for Linux before version 6.4.0 Zoom Workplace App for iOS before version 6.4.0 Zoom Workplace App for Android before version 6.4.0 Zoom Workplace VDI Client for Windows before version 6.3.10 (except versions 6.1.16 and 6.2.12) Zoom Rooms Controller for Windows before version 6.4.0 Zoom Rooms Controller for macOS before version 6.4.0 Zoom Rooms Controller for Linux before version 6.4.0 Zoom Rooms Controller for Android before version 6.4.0 Zoom Rooms Client for Windows before version 6.4.0 Zoom Rooms Client for macOS before version 6.4.0 Zoom Rooms Client for Android before version 6.4.0 Zoom Rooms Client for iPad before version 6.4.0 Zoom Meeting SDK for Windows before version 6.4.0 Zoom Meeting SDK for iOS before version 6.4.0 Zoom Meeting SDK for Android before version 6.4.0 Zoom Meeting SDK for macOS before version 6.4.0 Zoom Meeting SDK for Linux before version 6.4.0 Source: Reported by sim0nsecurity. Revision Date Description 1.0 05/13/2025 Initial publication. _____________________________________________________________________ Zoom Workplace Apps - Improper Neutralization of Special Elements Bulletin: ZSB-25017 CVEID: CVE-2025-30664 CVSS Severity: Medium CVSS Score: 6,6 CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Description: Improper neutralization of special elements in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via local access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace Desktop App for Windows before version 6.4.0 Zoom Workplace Desktop App for macOS before version 6.4.0 Zoom Workplace Desktop App for Linux before version 6.4.0 Zoom Workplace App for iOS before version 6.4.0 Zoom Workplace App for Android before version 6.4.0 Zoom Workplace VDI Client for Windows before version 6.3.10 Zoom Rooms Controller for Windows before version 6.4.0 Zoom Rooms Controller for macOS before version 6.4.0 Zoom Rooms Controller for Linux before version 6.4.0 Zoom Rooms Controller for Android before version 6.4.0 Zoom Rooms Client for Windows before version 6.4.0 Zoom Rooms Client for macOS before version 6.4.0 Zoom Rooms Client for Android before version 6.4.0 Zoom Rooms Client for iPad before version 6.4.0 Zoom Meeting SDK for Windows before version 6.4.0 Zoom Meeting SDK for iOS before version 6.4.0 Zoom Meeting SDK for Android before version 6.4.0 Zoom Meeting SDK for macOS before version 6.4.0 Zoom Meeting SDK for Linux before version 6.4.0 Source: Reported by Zoom Engineering Security. Revision Date Description 1.0 05/13/2025 Initial publication. _____________________________________________________________________ Zoom Workplace Apps for Windows - NULL Pointer Dereference Bulletin: ZSB-25018 CVEID: CVE-2025-30665, CVE-2025-30666 CVSS Severity: Medium CVSS Score: 6,5 CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Description: NULL pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace Desktop App for Windows before version 6.4.0 Zoom Workplace VDI Client for Windows before version 6.3.10 (except versions 6.1.17 and 6.2.13) Zoom Rooms Controller for Windows before version 6.4.0 Zoom Rooms Client for Windows before version 6.4.0 Zoom Meeting SDK for Windows before version 6.4.0 Source: Reported by fre3dm4n. Revision Date Description 1.0 05/13/2025 Initial publication. _____________________________________________________________________ Zoom Workplace Apps - NULL Pointer Dereference Bulletin: ZSB-25019 CVEID: CVE-2025-30667 CVSS Severity: Medium CVSS Score: 6,5 CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Description: NULL pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace Desktop App for Windows before version 6.4.0 Zoom Workplace Desktop App for macOS before version 6.4.0 Zoom Workplace Desktop App for Linux before version 6.4.0 Zoom Workplace App for iOS before version 6.4.0 Zoom Workplace App for Android before version 6.4.0 Zoom Workplace VDI Client for Windows before version 6.3.10 (except versions 6.1.17 and 6.2.13) Zoom Rooms Controller for Windows before version 6.4.0 Zoom Rooms Controller for macOS before version 6.4.0 Zoom Rooms Controller for Linux before version 6.4.0 Zoom Rooms Controller for Android before version 6.4.0 Zoom Rooms Client for Windows before version 6.4.0 Zoom Rooms Client for macOS before version 6.4.0 Zoom Rooms Client for Android before version 6.4.0 Zoom Rooms Client for iPad before version 6.4.0 Zoom Meeting SDK for Windows before version 6.4.0 Zoom Meeting SDK for iOS before version 6.4.0 Zoom Meeting SDK for Android before version 6.4.0 Zoom Meeting SDK for macOS before version 6.4.0 Zoom Meeting SDK for Linux before version 6.4.0 Source: Reported by Zoom Engineering Security. Revision Date Description 1.0 05/13/2025 Initial publication. _____________________________________________________________________ Zoom Workplace Apps for Windows - Buffer Over-read Bulletin: ZSB-25021 CVEID: CVE-2025-46785 CVSS Severity: Medium CVSS Score: 6,5 CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Description: Buffer over-read in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace Desktop App for Windows before version 6.4.0 Zoom Workplace VDI Client for Windows before version 6.3.10 (except versions 6.1.17 and 6.2.13) Zoom Rooms Controller for Windows before version 6.4.0 Zoom Rooms Client for Windows before version 6.4.0 Zoom Meeting SDK for Windows before version 6.4.0 Source: Reported by fre3dm4n. Revision Date Description 1.0 05/13/2025 Initial publication. _____________________________________________________________________ Zoom Workplace Apps - Improper Neutralization of Special Elements Bulletin: ZSB-25022 CVEID: CVE-2025-46786, CVE-2025-46787 CVSS Severity: Medium CVSS Score: 4,3 CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Description: Improper neutralization of special elements in some Zoom Workplace Apps may allow an authenticated user to impact app integrity via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace Desktop App for Windows before version 6.4.0 Zoom Workplace Desktop App for macOS before version 6.4.0 Zoom Workplace Desktop App for Linux before version 6.4.0 Zoom Workplace App for iOS before version 6.4.0 Zoom Workplace App for Android before version 6.4.0 Zoom Workplace VDI Client for Windows before version 6.3.10 (except versions 6.1.17 and 6.2.13) Zoom Rooms Controller for Windows before version 6.4.0 Zoom Rooms Controller for macOS before version 6.4.0 Zoom Rooms Controller for Linux before version 6.4.0 Zoom Rooms Controller for Android before version 6.4.0 Zoom Rooms Client for Windows before version 6.4.0 Zoom Rooms Client for macOS before version 6.4.0 Zoom Rooms Client for Android before version 6.4.0 Zoom Rooms Client for iPad before version 6.4.0 Zoom Meeting SDK for Windows before version 6.4.0 Zoom Meeting SDK for iOS before version 6.4.0 Zoom Meeting SDK for Android before version 6.4.0 Zoom Meeting SDK for macOS before version 6.4.0 Zoom Meeting SDK for Linux before version 6.4.0 Source: Reported by Zoom Engineering Security. Revision Date Description 1.1 05/13/2025 Fixed CVEID field. 1.0 05/13/2025 Initial publication. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================