CyberSecurityBoard
Sponsor Register Login

Zoom stomps critical privilege escalation bug, 6 other flaws The Register

Review and manage your consent Here's an overview of our use of cookies, similar technologies and how to manage them.
Video conferencing giant Zoom today opened up about a fresh batch of security vulnerabilities affecting its products, including a critical privilege escalation flaw.
Tracked as CVE-2024-24691 with a CVSS score of 9.6, Zoom says the vulnerability may enable privilege escalation for unauthenticated users via network access.
Limited technical details were disclosed, but an examination of the exploitability metrics that influenced the severity score shows that Zoom believes an exploit would require little complexity to execute, although some user interaction may be required.
It's also deemed to have a potentially high impact on affected products, which include the Windows versions of the Zoom desktop client, VDI client, Rooms client, and Zoom Meeting SDK. Zoom Desktop Client for Windows before version 5.16.5.
The vulnerability was reported by researchers in Zoom's Offensive Security division, and the company hasn't said whether any in-the-wild exploitation was detected.
In any case, the severity of the vulnerability should be a cause for concern and prompt users into patching to the latest version.
Also included in the round of updates were improper input validation vulnerabilities, as well as assorted others, although these were mostly all medium-severity issues, bar one.
CVE-2024-24690: A medium severity flaw affecting various Zoom clients that could potentially lead to denial of service attacks.
CVE-2024-24695: Another medium severity vulnerability that could lead to information disclosure, but an attacker would need to be authenticated.
CVE-2024-24696: Similar to the above improper input validation issue.
Same severity, affecting the same clients, with the same outcome.
This one concerns the in-meeting chat functionality, though.
CVE-2024-24697: The only high severity vulnerability here.
Affecting some 32-bit Windows clients, this untrusted search path flaw could enable local privilege escalation for authenticated attackers.
CVE-2024-24698: A medium severity issue affecting Zoom desktop apps, mobile apps, VDI client, Rooms client, and Meeting SDKs. It's classed as an improper authentication vulnerability that could lead to disclosure of information.
CVE-2024-24699: Also affecting all desktop and mobile apps, plus the Meeting SDKs and VDI and Rooms clients, this medium severity flaw could lead to information disclosure over the network.
It's worth checking out each advisory for the specific versions affected as they do differ between the various vulnerabilities.


This Cyber News was published on go.theregister.com. Publication date: Thu, 15 Feb 2024 16:13:04 +0000


Cyber News related to Zoom stomps critical privilege escalation bug, 6 other flaws The Register

Zoom flaw enabled hijacking of accounts with access to meetings, team chat - A Zoom flaw that enabled the hijacking of service accounts with access to potentially confidential information was disclosed by bug hunters this week. The vulnerability in the Zoom Rooms feature mostly affected Zoom tenants using email addresses from ...
7 months ago Packetstormsecurity.com
CVE-2021-34423 - A buffer overflow vulnerability was discovered in Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for ...
2 years ago
CVE-2021-34424 - A vulnerability was discovered in the Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for Meetings for intune ...
1 year ago
Zoom Mobile & Desktop App Flaw Let Attackers Escalate Privileges - The popular video conferencing software Zoom has security issues with its desktop and mobile apps that could allow for privilege escalation. An attacker may be able to obtain elevated privileges within the application or the operating system by ...
6 months ago Cybersecuritynews.com
Zoom stomps critical privilege escalation bug, 6 other flaws The Register - Review and manage your consent Here's an overview of our use of cookies, similar technologies and how to manage them. Video conferencing giant Zoom today opened up about a fresh batch of security vulnerabilities affecting its products, including a ...
4 months ago Go.theregister.com
Zoom says AI features should come at no additional cost. Here's why - Zoom is pledging to provide artificial intelligence features at no additional cost to paid customers on its video-conferencing platform. Zoom also advocates the merits of a federated multi-model architecture, which it says will allow for better ...
6 months ago Zdnet.com
Zoom Launches AI Companion, Available at No Additional Cost - Zoom has pledged to provide artificial intelligence functions on its video-conferencing platform at no additional cost to paid clients. The tech firm believes that including these extra features as part of its paid platform service will provide a ...
6 months ago Cysecurity.news
Weekly Vulnerability Recap 2/19/2024: News from Microsoft, Zoom, SolarWinds - While this week was a little light on vulnerability news, it's still been significant, with Microsoft's Patch Tuesday happening as well as updates for major products, like Zoom. Akira ransomware vulnerabilities have also surfaced in older Cisco ...
4 months ago Esecurityplanet.com
CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
6 years ago
Patch Now: Critical Windows Kerberos Bug Bypasses Microsoft Security - Microsoft eased enterprise security teams into 2024 with a relatively light January security update consisting of patches for 48 unique CVEs, just two of which the company identified as being of critical severity. For the second straight month, ...
5 months ago Darkreading.com
Discovering SSRF Flaws in Microsoft Azure Services - Microsoft Azure is an incredibly popular cloud computing platform and its services are used around the world. Recently, security researchers uncovered several Server-Side Request Forgery (SSRF) flaws in many of Microsoft Azure’s services. This type ...
1 year ago Securityaffairs.com
Microsoft Discloses Critical Hyper-V Flaws in Low-Volume Patch Update - Both affect the Windows Hyper-V virtualization technology: CVE-2024-21407, a remote code execution bug; and CVE-2024-21408, which is a denial-of-service vulnerability. The update includes fixes for a total of 18 RCE flaws and two dozen ...
3 months ago Darkreading.com
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
6 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
6 years ago
CVE-2023-52780 - In the Linux kernel, the following vulnerability has been resolved: net: mvneta: fix calls to page_pool_get_stats Calling page_pool_get_stats in the mvneta driver without checks leads to kernel crashes. First the page pool is only available if the bm ...
1 month ago Tenable.com
What Is a Privilege Escalation Attack? Types & Prevention - Privilege escalation is a method that threat actors use to increase their access to systems and data that they aren't authorized to see. This guide to privilege escalation attacks covers the two main types, the avenues attackers use, and detection ...
6 months ago Esecurityplanet.com
Over 1,450 pfSense servers exposed to RCE attacks via bug chain - Roughly 1,450 pfSense instances exposed online are vulnerable to command injection and cross-site scripting flaws that, if chained, could enable attackers to perform remote code execution on the appliance. PfSense is a popular open-source firewall ...
6 months ago Bleepingcomputer.com
The 20 Most Essential Crypto Bug Bounty Programs - Working with cryptocurrency has become more and more popular in the last few years, but it’s not without risks. It’s important for sites that conduct digital payments and transfers to have security measures in place to help keep your data safe ...
1 year ago Hackread.com
Privilege elevation exploits used in over 50% of insider attacks - Elevation of privilege flaws are the most common vulnerability leveraged by corporate insiders when conducting unauthorized activities on networks, whether for malicious purposes or by downloading risky tools in a dangerous manner. A report by ...
6 months ago Bleepingcomputer.com
CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog - CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog. CISA adds ...
1 month ago Securityaffairs.com
New MOVEit Transfer critical bug is actively exploited - MUST READ. New MOVEit Transfer critical bug is actively exploited. CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. PoC ...
1 week ago Securityaffairs.com
Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day - Today is Microsoft's December 2023 Patch Tuesday, which includes security updates for a total of 34 flaws and one previously disclosed, unpatched vulnerability in AMD CPUs. While eight remote code execution bugs were fixed, Microsoft only rated three ...
6 months ago Bleepingcomputer.com
Data thieves abuse Microsoft's 'verified publisher' status The Register - Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with ...
1 year ago Packetstormsecurity.com
Exploits released for critical Jenkins RCE flaw, patch now - Multiple proof-of-concept exploits for a critical Jenkins vulnerability allowing unauthenticated attackers to read arbitrary files have been made publicly available, with some researchers reporting attackers actively exploiting the flaws in attacks. ...
5 months ago Bleepingcomputer.com
CVE-2022-28762 - Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with 5.10.6 and prior to 5.12.0 contains a debugging port misconfiguration. When camera mode rendering context is enabled as part of the Zoom App Layers API by running certain ...
1 year ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)