Zoom Vulnerability: Escalation of Privileges

By Joshua Bourns on March 28, 2024

Executive Summary

On February 8th, 2024, Zoom disclosed a critical vulnerability (CVE-2024-24691) affecting their Windows desktop client, VDI client, Rooms client, and Meeting SDK. This vulnerability allowed unauthenticated attackers with network access to escalate privileges on affected systems. Since then, Zoom has released security updates to address the issue.

Background

Zoom is a popular video conferencing platform used by millions worldwide across various sectors, including businesses and schools. The vulnerability, discovered by Zoom’s internal offensive security team, stemmed from improper input validation. In software development, input validation refers to the process of checking data received from users or external systems to ensure it conforms to expected requirements. When input validation is inadequate, malicious actors can inject unexpected or unauthorized code into the application, potentially leading to unintended consequences. In this specific case, the improper input validation in Zoom’s software products likely involved failing to properly sanitize or validate user-provided input within network packets, potentially allowing attackers to bypass security measures and execute arbitrary code to gain unauthorized privileges.

Technical Details

While specific technical details of the vulnerability haven’t been publicly disclosed by Zoom to prevent widespread exploitation, researchers and security experts have offered insights into the potential nature of the exploit. Some possible techniques attackers might have employed include:

Malformed Packets: Attackers could have crafted network packets containing malformed data that the Zoom software incorrectly processed, leading to unintended code execution. This technique often involves exploiting buffer overflows, where attackers overflow a buffer with more data than it can hold, causing the program to overwrite adjacent memory locations and potentially execute attacker-controlled code.

Integer Overflows: Exploiting integer overflows occurs when mathematical operations on integers result in a value exceeding the maximum representable value. If the software doesn’t handle these overflows properly, it could lead to unintended consequences, such as manipulating program control flow and executing malicious code.

Code Injection: By supplying specially crafted input that bypasses validation checks, attackers might have been able to inject malicious code into the Zoom application. This code could then be executed and allow attackers to gain unauthorized privileges on the system.

Impact

Successful exploitation of this vulnerability could have led to attackers gaining elevated privileges on vulnerable systems, potentially compromising sensitive data, installing malware, or disrupting critical operations. Attackers with elevated privileges can perform actions that would normally require administrative access, such as:

Stealing data: Gaining access to sensitive information stored on the compromised system, such as user credentials, financial data, or intellectual property.

Installing malware: Deploying malicious software that can further compromise the system, steal data, or disrupt operations.

Lateral movement: Moving laterally within the network to compromise other systems and expand their reach.

Disrupting services: Disabling critical services or applications, causing operational disruptions for organizations.

While initial reports indicated limited targeted attacks, the widespread use of Zoom amplifies the potential impact. This highlights the importance of applying security updates promptly and maintaining a vigilant security posture.

Mitigation Strategies

To mitigate the risk, users are strongly encouraged to update their Zoom software to the latest versions (v5.16.5 for desktop client, v5.16.10 for VDI client, v5.17.0 for Rooms client, and v5.16.5 for Meeting SDK) as soon as possible. Additionally, implementing network segmentation and restricting access to unnecessary network resources can further reduce the attack surface and limit the potential impact of similar vulnerabilities in the future.

Conclusion

The recent escalation of privilege vulnerability in Zoom serves as a reminder of the evolving cyber threat landscape. While Zoom has addressed the issue with a patch, staying vigilant and implementing robust security practices remains very important. Users should prioritize updating their software, following official security advisories, and remaining informed about potential threats to ensure their online safety.

References

[1] Bleeping Computer, “Zoom patches critical privilege elevation flaw in Windows apps,” Feb. 9, 2024 https://www.bleepingcomputer.com/news/security/zoom-patches-critical-privilege-elevation-flaw-in-windows-apps/

[2] Cyber Fraud Centre, “Zoom has released security updates to patch critical privilege escalation vulnerability,” Feb. 8, 2024 https://cyberfraudcentre.com/zoom-has-released-security-updates-to-patch-critical-privilege-escalation-vulnerability

[3] NIST, “CVE-2024-24691 Detail. National Vulnerability Database,” Feb. 13, 2024 https://nvd.nist.gov/vuln/detail/CVE-2024-24691

[4] OWASP, “Input Validation,” Oct. 27, 2023 https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

[5] SecurityWeek, “Zoom Patches Critical Vulnerability in Windows Applications,” Feb. 9, 2024 https://www.securityweek.com/zoom-patches-critical-vulnerability-in-windows-applications/

[6] The Register, “Zoom stomps critical privilege escalation bug plus 6 other flaws,” Feb. 15, 2024 https://www.searchenginejournal.com/zoom-privilege-escalation-vulnerability-via-improper-authorization/503722/

[7] Zoom Video Communications, “Zoom Security Bulletins: ZSB-2024- 01,” Feb. 8, 2024 https://www.zoom.com/en/trust/security-bulletin/