Zoom Clients - Untrusted Search Path

Vulnerability

CVE-2024-24697 is an untrusted search path vulnerability affecting 32-bit Zoom Windows clients, including the Zoom Desktop Client for Windows before version 5.17.0, the Zoom VDI Client for Windows before version 5.17.5 (excluding 5.15.15 and 5.16.12), the Zoom Meeting SDK for Windows before version 5.17.0, and the Zoom Rooms Client for Windows before an unspecified version. The bug arises when these applications load external libraries or resources from an untrusted location, allowing an attacker to place a malicious file that the client will execute [1].

Exploitation

An authenticated user with local access to the Windows system can exploit this vulnerability by placing a specially crafted DLL or other executable file in a directory that the Zoom client searches before the legitimate system path. The attacker must have the ability to write to a directory that will be included in the search order, and the user must launch the Zoom client, triggering the loading of the malicious file. The CVSS vector indicates that the attack requires high privileges, high complexity, and user interaction [1].

Impact

Successful exploitation allows the attacker to escalate privileges, potentially gaining the ability to execute arbitrary code with the same level of access as the target process. Depending on the context, this could lead to full compromise of the affected system, including the ability to read, modify, or delete sensitive data, install programs, or create new accounts with elevated rights [1].

Mitigation

Users should update to the fixed versions: Zoom Desktop Client for Windows version 5.17.0 or later, Zoom VDI Client for Windows version 5.17.5 or later (or versions 5.15.15 and 5.16.12 as applicable), Zoom Meeting SDK for Windows version 5.17.0 or later, and Zoom Rooms Client for Windows to the latest available build. No workaround is provided, and the vendor recommends applying the latest updates from the official download page [1].