Coming Soon...

Q-CERT website is currently under maintenance. We should be back shortly. Thank you for yor patience.

Zoom security advisories for multiple high severity vulnerabilities

Issued: 
Monday, 21 November, 2022
Last Revision: 
Monday, 21 November, 2022
Vendor: 
Zoom
Product: 
Multiple products
Severity Level: 
Medium
Summary: 

Zoom released security advisories for multiple high severity vulnerabilities related to Zoom client. Below are the addressed vulnerabilities: 

 

CVE-2022-28766: the vulnerability is related to DLL injection in windows 32-bit zoom clients. A local low-privileged user could exploit this vulnerability to run arbitrary code in the context of zoom client.

 

CVE-2022-28768: the vulnerability contains a local privileges escalation in macOS standard and in IT admin version of zoom client. A local low-privileged user could exploit this vulnerability during installation process to escalate their privileges to root.

 

CVE-2022-36924: the vulnerability contains a local privileges escalation in Windows version of zoom client. A local low-privileged user could exploit this vulnerability during installation process to escalate their privileges to SYSTEM user.

 

CVE/Vulnerability

Affected Version

CVSS Score

Exploitable

CVE-2022-28766

  • Zoom Client for Windows (32-bit) prior to 5.12.6
  • Zoom VDI Windows client (32-bit) prior to 5.12.6
  • Zoom Room for Conference (32-bit) prior to 5.12.6

8.1

NO

CVE-2022-28768

  • Zoom Client for macOS prior 5.12.6

 

8.8

NO

CVE-2022-36924

  • Zoom Client for windows prior 5.12.6

 

8.8

NO

 

Recommendation: 

Zoom had released the updated version for affected products. Organizations are recommended to update affected versions to latest one.

 

References: 
Zoom Security Bulletin