Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-34422: Security Bulletin

The Keybase Client for Windows before version 5.7.0 contains a path traversal vulnerability when checking the name of a file uploaded to a team folder. A malicious user could upload a file to a shared folder with a specially crafted file name which could allow a user to execute an application which was not intended on their host machine. If a malicious user leveraged this issue with the public folder sharing feature of the Keybase client, this could lead to remote code execution.

CVE
#vulnerability#web#ios#android#mac#windows#microsoft#ubuntu#linux#dos#js#git

ZSB-21018 11/09/2021 Path traversal of file names in Keybase Client for Windows High CVE-2021-34422

Severity: High

CVSS Score: 7.2

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Description: The Keybase Client for Windows before version 5.7.0 contains a path traversal vulnerability when checking the name of a file uploaded to a team folder. A malicious user could upload a file to a shared folder with a specially crafted file name which could allow a user to execute an application which was not intended on their host machine. If a malicious user leveraged this issue with the public folder sharing feature of the Keybase client, this could lead to remote code execution.

Keybase addressed this issue in the 5.7.0 Keybase Client for Windows release. Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates from https://keybase.io/download.

Affected Products:

  • Keybase Client for Windows before version 5.7.0

Source: Reported by m4t35z

ZSB-21017 11/09/2021 Retained exploded messages in Keybase clients for Android and iOS Low CVE-2021-34421

Severity: Low

CVSS Score: 3.7

CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description: The Keybase Client for Android before version 5.8.0 and the Keybase Client for iOS before version 5.8.0 fails to properly remove exploded messages initiated by a user if the receiving user places the chat session in the background while the sending user explodes the messages. This could lead to disclosure of sensitive information which was meant to be deleted from the customer’s device.

Keybase addressed this issue in the 5.8.0 Keybase Client for Android and the 5.8.0 Keybase Client for iOS releases. Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates from https://keybase.io/download.

Affected Products:

  • All Keybase Client for Android before version 5.8.0
  • All Keybase Client for iOS before version 5.8.0

Source: Reported by Olivia O’Hara, John Jackson, Jackson Henry, and Robert Willis

ZSB-21016 11/09/2021 Zoom Windows installation executable signature bypass Medium CVE-2021-34420

Severity: Medium

CVSS Score: 4.7

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Description: The Zoom Client for Meetings for Windows installer before version 5.5.4 does not properly verify the signature of files with .msi, .ps1, and .bat extensions. This could lead to a malicious actor installing malicious software on a customer’s computer.

Zoom addressed this issue in the 5.5.4 Zoom Client for Meetings for Windows release. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • All Zoom Client for Meetings for Windows before version 5.5.4

Source: Reported by laurent_hack

ZSB-21015 11/09/2021 HTML injection in Zoom Linux client Low CVE-2021-34419

Severity: Low

CVSS Score: 3.7

CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Description: In the Zoom Client for Meetings for Ubuntu Linux before version 5.1.0, there is an HTML injection flaw when sending a remote control request to a user in the process of in-meeting screen sharing. This could allow meeting participants to be targeted for social engineering attacks.

Zoom addressed this issue in the 5.1.0 Zoom Client for Meetings for Ubuntu Linux release. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download

Affected Products:

  • Zoom Client for Meetings for Ubuntu Linux before version 5.1.0

Source: Reported by Danny de Weille and Rick Verdoes of hackdefense

ZSB-21014 11/09/2021 Pre-auth Null pointer crash in on-premise web console Medium CVE-2021-34418

Severity: Medium

CVSS Score: 4.0

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description: The login service of the web console for the products listed in the “Affected Products” section of this bulletin, fails to validate that a NULL byte was sent while authenticating. This could lead to a crash of the login service.

Affected Products:

  • Zoom On-Premise Meeting Connector Controller before version 4.6.239.20200613
  • Zoom On-Premise Meeting Connector MMR before version 4.6.239.20200613
  • Zoom On-Premise Recording Connector before version 3.8.42.20200905
  • Zoom On-Premise Virtual Room Connector before version 4.4.6344.20200612
  • Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5492.20200616

Source: Reported by Jeremy Brown

ZSB-21013 11/09/2021 Authenticated remote command execution with root privileges via web console in MMR High CVE-2021-34417

Severity: High

CVSS Score: 7.9

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Description: The network proxy page on the web portal for the products listed in the “Affected Products” section of this bulletin, fails to validate input sent in requests to set the network proxy password. This could lead to remote command injection by a web portal administrator.

Affected Products:

  • Zoom On-Premise Meeting Connector Controller before version 4.6.365.20210703
  • Zoom On-Premise Meeting Connector MMR before version 4.6.365.20210703
  • Zoom On-Premise Recording Connector before version 3.8.45.20210703
  • Zoom On-Premise Virtual Room Connector before version 4.4.6868.20210703
  • Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5496.20210703

Source: Reported by Jeremy Brown

ZSB-21012 09/30/2021 Remote Code Execution against On-Prem Images via webportal Medium CVE-2021-34416

Severity: Medium

CVSS Score: 5.5

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Description: The network address administrative settings web portal for the Zoom on-premise Meeting Connector before version 4.6.360.20210325, Zoom on-premise Meeting Connector MMR before version 4.6.360.20210325, Zoom on-premise Recording Connector before version 3.8.44.20210326, Zoom on-premise Virtual Room Connector before version 4.4.6752.20210326, and Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326 fails to validate input sent in requests to update the network configuration, which could lead to remote command injection on the on-premise image by the web portal administrators.

Affected Products:

  • Zoom on-premise Meeting Connector before version 4.6.360.20210325
  • Zoom on-premise Meeting Connector MMR before version 4.6.360.20210325
  • Zoom on-premise Recording Connector before version 3.8.44.20210326
  • Zoom on-premise Virtual Room Connector before version 4.4.6752.20210326
  • Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326

Source: Reported by Egor Dimitrenko of Positive Technologies

ZSB-21011 09/30/2021 ZC crash using a PDU which causes many allocations High CVE-2021-34415

Severity: High

CVSS Score: 7.5

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description: The Zone Controller service in the Zoom On-Premise Meeting Connector Controller before version 4.6.358.20210205 does not verify the cnt field sent in incoming network packets, which leads to exhaustion of resources and system crash.

Affected Products:

  • Zoom On-Premise Meeting Connector Controller before version 4.6.358.20210205

Source: Reported by Nikita Abramov of Positive Technologies

ZSB-21010 09/30/2021 Remote Code Execution against Meeting Connector server via webportal network proxy configuration Medium CVE-2021-34414

Severity: Medium

CVSS Score: 7.2

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Description: The network proxy page on the web portal for the Zoom on-premise Meeting Connector Controller before version 4.6.348.20201217, Zoom on-premise Meeting Connector MMR before version 4.6.348.20201217, Zoom on-premise Recording Connector before version 3.8.42.20200905, Zoom on-premise Virtual Room Connector before version 4.4.6620.20201110, and Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326 fail to validate input sent in requests to update the network proxy configuration, which could lead to remote command injection on the on-premise image by a web portal administrator.

Affected Products:

  • Zoom on-premise Meeting Connector Controller before version 4.6.348.20201217
  • Zoom on-premise Meeting Connector MMR before version 4.6.348.20201217
  • Zoom on-premise Recording Connector before version 3.8.42.20200905
  • Zoom on-premise Virtual Room Connector before version 4.4.6620.20201110
  • Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326

Source: Reported by Egor Dimitrenko of Positive Technologies

ZSB-21009 09/30/2021 Zoom MacOS Outlook Plugin Installer Local Privilege Escalation Low CVE-2021-34413

Severity: Low

CVSS Score: 2.8

CVSS Vector String: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Description: All versions of the Zoom Plugin for Microsoft Outlook for MacOS before 5.3.52553.0918 contain a Time-of-check Time-of-use (TOC/TOU) vulnerability during the plugin installation process. This could allow a standard user to write their own malicious application to the plugin directory, allowing the malicious application to execute in a privileged context.

Affected Products:

  • All versions of the Zoom Plugin for Microsoft Outlook for MacOS before 5.3.52553.0918

Source: Reported by the Lockheed Martin Red Team

ZSB-21008 09/30/2021 Zoom for Windows Installer Local Privilege Escalation Medium CVE-2021-34412

Severity: Medium

CVSS Score: 4.4

CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description: During the installation process for all versions of the Zoom Client for Meetings for Windows before 5.4.0, it is possible to launch Internet Explorer. If the installer was launched with elevated privileges such as by SCCM this can result in a local privilege escalation.

Affected Products:

  • Zoom Client for Meetings for Windows before version 5.4.0

Source: Reported by the Lockheed Martin Red Team

ZSB-21007 09/30/2021 Zoom Rooms Installer Local Privilege Escalation Medium CVE-2021-34411

Severity: Medium

CVSS Score: 4.4

CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description: During the installation process forZoom Rooms for Conference Room for Windows before version 5.3.0 it is possible to launch Internet Explorer with elevated privileges. If the installer was launched with elevated privileges such as by SCCM this can result in a local privilege escalation.

Affected Products:

  • Zoom Rooms for Conference Room for Windows before version 5.3.0

Source: Reported by the Lockheed Martin Red Team

ZSB-21006 09/30/2021 Zoom Plugin for Microsoft Outlook (MacOS) Installer Root App Privilege Escalation Medium CVE-2021-34410

Severity: Medium

CVSS Score: 6.6

CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/CR:X/IR:X/AR:X/MAV:L/MAC:L/MPR:L/MUI:R/MS:U/MC:X/MI:X/MA:X

Description: A user-writable application bundle unpacked during the install for all versions of the Zoom Plugin for Microsoft Outlook for Mac before 5.0.25611.0521 allows for privilege escalation to root.

Affected Products:

  • Zoom Plugin for Microsoft Outlook for Mac before version 5.0.25611.0521

Source: Reported by the Lockheed Martin Red Team

ZSB-21005 09/30/2021 MacOS Installer Privilege Escalation High CVE-2021-34409

Severity: High

CVSS Score: 7.0

CVSS Vector String: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Description: User-writable pre and post-install scripts unpacked during the Zoom Client for Meetings for MacOS installation before version 5.2.0 allow for privilege escalation to root.

Affected Products:

  • Zoom Client for Meetings for MacOS before version 5.2.0

Source: Reported by the Lockheed Martin Red Team

ZSB-21004 09/30/2021 Zoom MSI Installer Elevated Write Using A Junction High CVE-2021-34408

Severity: High

CVSS Score: 7.0

CVSS Vector String: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Description: A user-writable directory created during the installation of the Zoom Client for Meetings for Windows version prior to version 5.3.2 can be redirected to another location using a junction. This would allow an attacker to overwrite files that a limited user would otherwise be unable to modify.

Affected Products:

  • Zoom Client for Meetings for Windows prior to version 5.3.2

Source: Reported by the Lockheed Martin Red Team

ZSB-21003 09/30/2021 Windows Zoom Installer Digital Signature Bypass High CVE-2021-33907

Severity: High

CVSS Score: 7.0

CVSS Vector String: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/CR:H/IR:H/AR:H/MAV:L/MAC:H/MPR:N/MUI:R/MS:U/MC:H/MI:H/MA:H

Description: The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context.

Affected Products:

  • All versions of the Zoom Client for Meetings for Windows before version 5.3.0

Source: Reported by the Lockheed Martin Red Team

ZSB-21002 08/13/2021 Heap overflow from static buffer unchecked write from XMPP message High CVE-2021-30480

Severity: High

CVSS Score: 8.1

CVSS Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

Description: A heap based buffer overflow exists in all desktop versions of the Zoom Client for Meetings before version 5.6.3. This Finding was reported to Zoom as a part of 2021 Pwn20wn Vancouver. The attack chain demonstrated during Pwn20wn was mitigated in a server-side change in Zoom’s infrastructure on 2021-04-09.

When combined with two other issues reported during Pwn20wn - improper URL validation when sending an XMPP message to access a Zoom Marketplace app URL and incorrect URL validation when displaying a GIPHY image - a malicious user can achieve remote code execution on a target’s computer.
The target must have previously accepted a Connection Request from the malicious user or be in a multi-user chat with the malicious user for this attack to succeed. The attack chain demonstrated in Pwn20wn can be highly visible to targets, causing multiple client notifications to occur.

Affected Products:

  • All desktop versions of the Zoom Client for Meetings before 5.6.3

Source: Reported by Daan Keuper and Thijs Alkemade from Computest via the Zero Day Initiative

ZSB-21001 03/26/2021 Application Window Screen Sharing Functionality Medium CVE-2021-28133

Severity: Medium

CVSS Score: 5.7

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Description: A vulnerability affected the Zoom Windows and Linux Clients’ share screen functionality when sharing individual application windows, in which screen contents of applications which are not explicitly shared by the screen-sharing users may be seen by other meeting participants for a brief moment if the “sharer” is minimizing, maximizing, or closing another window.

Zoom introduced several new security mitigations in Zoom Windows Client version 5.6 that reduce the possibility of this issue occurring for Windows users. We are continuing to work on additional measures to resolve this issue across all affected platforms.

Zoom also resolved the issue for Ubuntu users on March 1, 2021 in Zoom Linux Client version 5.5.4. Users can apply current updates or download the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • All Windows Zoom Client versions
  • Linux Zoom Client versions prior to 5.5.4 on Ubuntu
  • All Linux Client versions on other supported distributions

Source: Discovered by Michael Stramez and Matthias Deeg.

ZSB-20002 08/14/2020 Windows DLL in the Zoom Sharing Service High CVE-2020-9767

Severity: High

CVSS Score: 7.8

CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description: A vulnerability related to Dynamic-link Library (“DLL”) loading in the Zoom Sharing Service could allow a local Windows user to escalate privileges to those of the NT AUTHORITY/SYSTEM user.

The vulnerability is due to insufficient signature checks of dynamically loaded DLLs when loading a signed executable. An attacker could exploit this vulnerability by injecting a malicious DLL into a signed Zoom executable and using it to launch processes with elevated permissions.

Zoom addressed this issue in the 5.0.4 client release. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Windows installer (ZoomInstallerFull.msi) versions prior to 5.0.4

Source: Connor Scott of Context Information Security

ZSB-20001 05/04/2020 Zoom IT Installer for Windows High CVE-2020-11443

Severity: High

CVSS Score: Base: 8.4

CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Description: A vulnerability in how the Zoom Windows installer handles junctions when deleting files could allow a local Windows user to delete files otherwise not deletable by the user.

The vulnerability is due to insufficient checking for junctions in the directory from which the installer deletes files, which is writable by standard users. A malicious local user could exploit this vulnerability by creating a junction in the affected directory that points to protected system files or other files to which the user does not have permissions. Upon running the Zoom Windows installer with elevated permissions, as is the case when it is run through managed deployment software, those files would get deleted from the system.

Zoom addressed this issue in the 4.6.10 client release. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Windows installer (ZoomInstallerFull.msi) versions prior to 4.6.10

Source: Thanks to the Lockheed Martin Red Team.

ZSB-19003 07/12/2019 ZoomOpener daemon High CVE-2019-13567

Severity: High

CVSS Score: Base: 7.5

CVSS Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Description: A vulnerability in the Zoom MacOS client could allow an attacker to download malicious software to a victim’s device.

The vulnerability is due to improper input validation and validation of downloaded software in the ZoomOpener helper application. An attacker could exploit the vulnerability to prompt a victim’s device to download files on the attacker’s behalf. A successful exploit is only possible if the victim previously uninstalled the Zoom Client.

Zoom addressed this issue in the 4.4.52595.0425 client release. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom MacOS client prior to version 4.4.52595.0425 and after version 4.1.27507.0627

Source: Unknown.

ZSB-19002 07/09/2019 Default Video Setting Low CVE-2019-13450

Severity: Low

CVSS Score: Base: 3.1

CVSS Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Description: A vulnerability in the MacOS Zoom and RingCentral clients could allow a remote, unauthenticated attacker to force a user to join a video call with the video camera active.

The vulnerability is due to insufficient authorization controls to check which systems may communicate with the local Zoom Web server running on port 19421. An attacker could exploit this vulnerability by creating a malicious website that causes the Zoom client to automatically join a meeting set up by the attacker.

Zoom implemented a new Video Preview dialog that is presented to the user before joining a meeting in Client version 4.4.5 published July 14, 2019. This dialog enables the user to join the meeting with or without video enabled and requires the user to set their desired default behavior for video. Zoom urges customers to install the latest Zoom Client release available at https://zoom.us/download.

Affected Products:

  • Zoom MacOS Client prior to version 4.4.5
  • RingCentral MacOS client prior to version 4.4.5

Source: Discovered by Jonathan Leitschuh.

ZSB-19001 07/09/2019 Denial of service attack - MacOS Low CVE-2019-13449

Severity: Low

CVSS Score: Base: 3.1

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Description: A vulnerability in the MacOS Zoom client could allow a remote, unauthenticated attacker to trigger a denial-of-service condition on a victim’s system.

The vulnerability is due to insufficient authorization controls to check which systems may communicate with the local Zoom Web server running on port 19421. An attacker could exploit this vulnerability by creating a malicious website that causes the Zoom client to repeatedly try to join a meeting with an invalid meeting ID. The infinite loop causes the Zoom client to become inoperative and can impact performance of the system on which it runs.

Zoom released version 4.4.2-hotfix of the MacOS client on April 28, 2019 to address the issue.

Affected Products:

  • Zoom MacOS Client prior to version 4.4.5
  • RingCentral MacOS client prior to version 4.4.5

Source: Discovered by Jonathan Leitschuh.

ZSB-18001 11/30/2018 Unauthorized Message Processing High CVE-2018-15715

Severity: High

CVSS Score: 7.4

CVSS Vector String: AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L/CR:X/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

Description: A vulnerability in the Zoom client could allow a remote, unauthenticated attacker to control meeting functionality such as ejecting meeting participants, sending chat messages, and controlling participant microphone muting. If the attacker was also a valid participant in the meeting and another participant was sharing their desktop screen, the attacker could also take control of that participant’s keyboard and mouse.

The vulnerability is due to the fact that Zoom’s internal messaging pump dispatched both client User Datagram Protocol (UDP) and server Transmission Control Protocol (TCP) messages to the same message handler. An attacker can exploit this vulnerability to craft and send UDP packets which get interpreted as messages processed from the trusted TCP channel used by authorized Zoom servers.

Zoom released client updates to address this security vulnerability. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Windows clients before version 4.1.34460.1105
  • Mac clients before version 4.1.34475.1105
  • Linux clients before version 2.5.146186.1130
  • iOS clients before version 4.1.18 (4460.1105)
  • Android clients before version 4.1.34489.1105
  • Chrome clients before version 3.3.1635.1130
  • Windows Zoom Room clients before version 4.1.6 (35121.1201)
  • Mac Zoom Room clients before version 4.1.7 (35123.1201)
  • Chrome Zoom Room clients before version 3.6.2895.1130
  • Windows Zoom SDK before version 4.1.30384.1029
  • Mac Zoom SDK before version 4.1.34180.1026
  • iOS Zoom SDK before version 4.1.34076.1024
  • Android Zoom SDK before version 4.1.34082.1024
  • Zoom Virtual Room Connectors before version 4.1.4813.1201
  • Zoom Meeting Connectors before version 4.3.135059.1129
  • Zoom Recording Connectors before version 3.6.58865.1130
  • The Zoom Cloud Skype for Business Connector was updated on 12/1/2018
  • The Zoom Cloud Conference Room Connector was updated on 12/6/2018

Source: David Wells from Tenable.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907