CVE-2023-39201
📋 TL;DR
This CVE describes an untrusted search path vulnerability in CleanZoom (Zoom's cleaning utility) that allows a privileged user to escalate privileges via local access. Attackers could place malicious files in locations where CleanZoom searches for dependencies, leading to arbitrary code execution. This affects systems running CleanZoom before the July 24, 2023 file date.
💻 Affected Systems
- CleanZoom (Zoom cleaning utility)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM/root privileges, installs persistent malware, accesses sensitive data, and pivots to other systems.
Likely Case
Privileged user (admin/root) exploits the vulnerability to maintain persistence, bypass security controls, or install additional malicious software.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
Exploitation requires local access and some existing privileges. The attacker needs to understand the search path behavior and place malicious files in the correct locations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CleanZoom with file date 07/24/2023 or later
Vendor Advisory: https://explore.zoom.us/en/trust/security/security-bulletin/
Restart Required: No
Instructions:
1. Download the latest CleanZoom utility from Zoom's official website. 2. Run the installer to update CleanZoom. 3. Verify the file date is 07/24/2023 or later. 4. Remove any older versions of CleanZoom.
🔧 Temporary Workarounds
Remove CleanZoom
allUninstall CleanZoom if not needed, eliminating the attack surface entirely.
Windows: Control Panel > Programs > Uninstall CleanZoom
macOS: Drag CleanZoom to Trash or use uninstaller
Linux: Use package manager to remove cleanzoom package
Restrict File Permissions
allSet strict permissions on directories CleanZoom searches to prevent malicious file placement.
Windows: icacls "C:\Program Files\CleanZoom" /deny Users:(OI)(CI)W
Linux: chmod 755 /opt/cleanzoom && chown root:root /opt/cleanzoom
macOS: chmod 755 /Applications/CleanZoom.app && chown root:wheel /Applications/CleanZoom.app
🧯 If You Can't Patch
- Remove CleanZoom from all systems if patching is not possible.
- Implement strict access controls to limit who can run CleanZoom and from which directories.
🔍 How to Verify
Check if Vulnerable:
Check CleanZoom file properties for creation/modification date. If before 07/24/2023, the system is vulnerable.Check Version:
Windows: dir "C:\Program Files\CleanZoom\*" /T:C | find "CleanZoom"
macOS: ls -la /Applications/CleanZoom.app
Linux: ls -la /opt/cleanzoom/ 2>/dev/null || echo 'Not installed'Verify Fix Applied:
Verify CleanZoom file date is 07/24/2023 or later. Check that no older versions exist on the system.📡 Detection & Monitoring
Log Indicators:
- Unexpected CleanZoom process execution from non-standard locations
- File creation in CleanZoom search paths by non-privileged users
- CleanZoom loading DLLs or libraries from unexpected directories
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
process_name:"CleanZoom" AND (process_path:!"C:\\Program Files\\CleanZoom\\*" OR file_create_path:"*CleanZoom*")