Zoom Mobile and Desktop App Flaw Let Attackers Escalate Privilege

The popular video conferencing software Zoom has security issues with its desktop and mobile apps that could allow for privilege escalation.

An attacker may be able to obtain elevated privileges within the application or the operating system by exploiting this vulnerability.

A privilege escalation attack is an attempt to obtain unauthorized access to higher rights, permissions, privileges, or entitlements than those allocated to a particular account, user, or device. This can occur as a result of a system flaw, misconfiguration, or inadequate access controls.

Zoom Mobile App Flaws

CVE-2023-43583– Cryptographic Issues

Cryptographic issues, having a CVSS rating of 4.9, are the medium-severity vulnerabilities tracked as CVE-2023-43583. 

Before version 5.16.0, the Zoom SDKs for Android and iOS, the Zoom Mobile App for Android, and the Zoom Mobile App for iOS could have permitted a privileged user to disclose information through network access.

CVE-2023-43585 – Improper Access Control

This is a high-severity flaw tracked as CVE-2023-43585, which has a CVSS rating of 7.1.

Before version 5.16.5, the Zoom Mobile App for iOS and Zoom SDKs for iOS may have improper access control, enabling an authenticated user to disclose information through network access.

Zoom Desktop Client Flaws

CVE-2023-43586 – Path Traversal

With a CVSS rating of 7.3, this high-severity bug has been identified as CVE-2023-43586.

An authorized user may be able to carry out an escalation of privilege via network access in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows using path traversal.

CVE-2023-36540 – Untrusted Search Path

With a CVSS rating of 7.3, this bug is classified as High severity and is tracked as CVE-2023-36540.

Before Zoom Desktop Client version 5.14.5 for Windows, an authenticated user may have been able to enable an escalation of privilege via local access by using an untrusted search path in the installer.

CVE-2023-36541 – Insufficient Verification of Data Authenticity

With a CVSS rating of 8, this bug is classified as High severity and is tracked as CVE-2023-36541.

Before Zoom Desktop Client for Windows version 5.14.5, there was insufficient data authenticity verification, which could have enabled an escalation of privilege via network access for an authenticated user.

CVE-2023-36534 – Path Traversal

With a 9.3 CVSS rating, this critical severity flaw is listed as CVE-2023-36534.

Before Zoom Desktop Client for Windows version 5.14.7, path traversal could have enabled an escalation of privilege via network access for an unauthorized user.

CVE-2023-39216 – Improper Input Validation

This vulnerability, identified as CVE-2023-39216, has a critical severity and a 9.6 CVSS rating.

Before Zoom Desktop Client for Windows version 5.14.7, improper input validation could have enabled an escalation of privilege via network access for an unauthorized user.

CVE-2023-39213 –  Improper Neutralization of Special Elements

This vulnerability, identified as CVE-2023-39213, has a critical severity and a 9.6 CVSS rating.

An unauthenticated user may be able to enable an escalation of privilege via network access due to improper neutralization of special elements in Zoom Desktop Client for Windows and Zoom VDI Client.

Therefore, users are urged to maintain their security by installing the most recent updates or getting the most recent version of Zoom software, including all security updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.