CVE-2023-28598
📋 TL;DR
Zoom for Linux clients prior to version 5.13.10 contain an HTML injection vulnerability (CWE-79) that allows malicious users to inject arbitrary HTML into chat messages. When a victim starts a chat with an attacker, this can cause the Zoom application to crash. This affects Linux users running vulnerable Zoom client versions.
💻 Affected Systems
- Zoom Client for Linux
📦 What is this software?
Zoom by Zoom
⚠️ Risk & Real-World Impact
Worst Case
An attacker could craft malicious HTML that crashes Zoom clients for multiple users simultaneously, causing denial of service for Zoom communications and potentially leading to data loss from unsaved chat sessions.
Likely Case
Malicious users in an organization could crash colleagues' Zoom clients by sending specially crafted chat messages, disrupting meetings and communications.
If Mitigated
With proper patching, the vulnerability is eliminated. With network segmentation and chat restrictions, the attack surface is reduced to trusted users only.
🎯 Exploit Status
Exploitation requires the attacker to be a Zoom user who can send chat messages to the victim. The vulnerability is triggered when the victim starts a chat session with the attacker.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.13.10 and later
Vendor Advisory: https://explore.zoom.us/en/trust/security/security-bulletin/
Restart Required: Yes
Instructions:
1. Open Zoom client on Linux. 2. Click your profile picture. 3. Select 'Check for Updates'. 4. If update to 5.13.10 or later is available, install it. 5. Restart Zoom client after installation.
🔧 Temporary Workarounds
Disable chat with external users
linuxConfigure Zoom to restrict chat functionality to internal/organizational users only
Use web client temporarily
allUse Zoom web client instead of native Linux client until patched
🧯 If You Can't Patch
- Restrict Zoom chat functionality to trusted users only through administrative controls
- Educate users to avoid starting chats with unknown or untrusted Zoom contacts
🔍 How to Verify
Check if Vulnerable:
Check Zoom client version in Linux: Open Zoom, click profile picture, select 'Help', then 'About Zoom'. If version is below 5.13.10, system is vulnerable.Check Version:
zoom --version 2>/dev/null || echo 'Zoom command not found or version check not available via CLI'Verify Fix Applied:
After updating, verify Zoom version is 5.13.10 or higher using the same 'About Zoom' method.📡 Detection & Monitoring
Log Indicators:
- Multiple Zoom client crashes from same user sessions
- Chat session initiation logs followed by application termination
Network Indicators:
- Unusual chat message patterns containing HTML tags
- Multiple Zoom clients disconnecting simultaneously after chat initiation
SIEM Query:
source="zoom_logs" AND (event="client_crash" OR event="application_error") AND process="zoom" AND chat_session=true