- 72/2023
- High
Zoom has released security updates to fix vulnerabilities in multiple products.
The addressed vulnerabilities could allow the attacker to perform remote code execution, gain elevated privileges, or cause a denial of service attack on the affected product.
Sample of the addressed vulnerabilities:
1. Improper Trust Boundary Implementation for SMB in Zoom Clients (CVE-2023-22885):
• CVSS: 8.3
• Attack Vector: Adjacent Network
• Attack Complexity: High
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access
2. Zoom Rooms for Windows Installers Privilege Escalation (CVE-2022-36930):
• CVSS: 7.2
• Attack Vector: Local
• Attack Complexity: High
• Privileges Required: Low
• User Interaction: Required
• Consequences: Gain Privilege
Sample of the affected products:
• Zoom (for Android, iOS, Linux, macOS, and Windows) clients before version 5.13.5.
• Zoom Rooms (for Android, iOS, Linux, macOS, and Windows) clients before version 5.13.5.
• Zoom VDI Windows Meeting clients before version 5.13.10.
• Zoom Client for Meetings for IT Admin macOS and Windows installers before version 5.13.5.
Vulnerabilities
• CVE-2023-22885
• CVE-2023-22884
• CVE-2023-22883
• CVE-2023-22882
• CVE-2023-22881
• CVE-2023-22880
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.