CVE-2021-34413 – A Time-of-check Time-of-use (TOC/TOU) vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-34413?

CVE-2021-34413 has a CVSS score of 7.5 (HIGH). A Time-of-check Time-of-use (TOC/TOU) vulnerability in the Zoom Plugin for Microsoft Outlook on macOS allows standard users to write malicious applications to the plugin directory during installation. This could enable privilege escalation where malicious code executes with elevated privileges. Affects all macOS users running Zoom Plugin for Outlook versions before 5.3.52553.0918.

📋 TL;DR

A Time-of-check Time-of-use (TOC/TOU) vulnerability in the Zoom Plugin for Microsoft Outlook on macOS allows standard users to write malicious applications to the plugin directory during installation. This could enable privilege escalation where malicious code executes with elevated privileges. Affects all macOS users running Zoom Plugin for Outlook versions before 5.3.52553.0918.

💻 Affected Systems

Products:

Zoom Plugin for Microsoft Outlook

Versions: All versions before 5.3.52553.0918

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects macOS installations. Requires standard user access to the system. The vulnerability occurs during plugin installation process.

📦 What is this software?

Zoom Plugin For Microsoft Outlook by Zoom

View all CVEs affecting Zoom Plugin For Microsoft Outlook →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access could escalate privileges to root/admin level, install persistent backdoors, access sensitive system files, or compromise other user accounts on the same system.

🟠

Likely Case

Malicious local user or malware with standard privileges could gain administrative access to install additional malware, modify system configurations, or access protected data.

🟢

If Mitigated

With proper user privilege separation and application whitelisting, impact is limited to the user's own context without system-wide compromise.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: HIGH - Any compromised standard user account on affected macOS systems could lead to full system compromise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to write to plugin directory during installation. Exploitation involves race condition timing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.3.52553.0918 and later

Vendor Advisory: https://explore.zoom.us/en/trust/security/security-bulletin/

Restart Required: Yes

Instructions:

1. Open Microsoft Outlook on macOS. 2. Navigate to Zoom plugin settings. 3. Check for updates or manually update to version 5.3.52553.0918 or later. 4. Restart Outlook after update completes.

🔧 Temporary Workarounds

Uninstall Zoom Plugin

macos

Remove the vulnerable Zoom Plugin from Microsoft Outlook

Open Microsoft Outlook > Go to Preferences > Extensions > Select Zoom Plugin > Click Remove

Restrict User Privileges

macos

Implement least privilege by ensuring users don't have write access to system directories

sudo chmod -R 755 /Library/Application\ Support/zoom.us/
sudo chown root:wheel /Library/Application\ Support/zoom.us/

🧯 If You Can't Patch

Remove the Zoom Plugin from Microsoft Outlook entirely
Implement application whitelisting to prevent unauthorized executables from running

🔍 How to Verify

Check if Vulnerable:

Check Zoom Plugin version in Microsoft Outlook: Open Outlook > Preferences > Extensions > Zoom Plugin > Check version number

Check Version:

grep -i version ~/Library/Application\ Support/zoom.us/plugin/outlook/*.plist 2>/dev/null || echo 'Plugin not found'

Verify Fix Applied:

Verify version is 5.3.52553.0918 or higher in Outlook extensions settings

📡 Detection & Monitoring

Log Indicators:

Unusual file writes to /Library/Application Support/zoom.us/ during plugin installation
Process execution from zoom plugin directory with elevated privileges

Network Indicators:

Outbound connections from zoom plugin processes to unexpected destinations

SIEM Query:

process.name:zoom AND process.integrity_level:high AND file.path:/Library/Application Support/zoom.us/*

📊 Metadata

CVE ID: CVE-2021-34413

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-367

Published: September 27, 2021

Last Updated: November 21, 2024

🔗 References

https://explore.zoom.us/en/trust/security/security-bulletin/ Vendor Advisory
https://explore.zoom.us/en/trust/security/security-bulletin/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34413, you might also want to check these: