CVE-2023-39211
📋 TL;DR
This vulnerability in Zoom Desktop Client and Zoom Rooms for Windows allows authenticated local users to access sensitive information they shouldn't have permission to view. It affects Windows users running Zoom versions before 5.15.5. The issue stems from improper privilege management that enables information disclosure.
💻 Affected Systems
- Zoom Desktop Client for Windows
- Zoom Rooms for Windows
📦 What is this software?
Rooms by Zoom
Zoom by Zoom
⚠️ Risk & Real-World Impact
Worst Case
Local authenticated attacker gains access to sensitive user data, configuration files, or authentication tokens stored by Zoom, potentially leading to account compromise or data theft.
Likely Case
Local user with standard privileges accesses Zoom configuration data, meeting information, or user credentials stored locally by the application.
If Mitigated
With proper access controls and least privilege principles, impact is limited to non-sensitive application data accessible only to authorized users.
🎯 Exploit Status
Exploitation requires local authenticated access. The CWE-347 (Improper Verification of Cryptographic Signature) suggests this may involve bypassing security checks through improper privilege management.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.15.5 and later
Vendor Advisory: https://explore.zoom.us/en/trust/security/security-bulletin/
Restart Required: Yes
Instructions:
1. Open Zoom Desktop Client or Zoom Rooms application. 2. Click on your profile picture. 3. Select 'Check for Updates'. 4. If update to 5.15.5 or later is available, install it. 5. Restart the application after installation.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local user access to systems running Zoom to only trusted, authorized personnel.
Implement Least Privilege
windowsEnsure users only have necessary permissions on systems where Zoom is installed.
🧯 If You Can't Patch
- Restrict physical and remote desktop access to Zoom systems to authorized personnel only
- Implement application whitelisting to prevent unauthorized execution of Zoom or related processes
🔍 How to Verify
Check if Vulnerable:
Open Zoom, click profile picture, select 'Help', then 'About Zoom'. Check if version is earlier than 5.15.5.Check Version:
In Zoom: Click profile picture → Help → About ZoomVerify Fix Applied:
After updating, verify Zoom version is 5.15.5 or later using the About Zoom dialog.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to Zoom configuration files
- Multiple failed privilege escalation attempts in Windows Event Logs
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
EventID=4688 AND ProcessName LIKE '%zoom%' AND CommandLine CONTAINS 'privilege' OR 'escalation'