CVE-2024-24697 – This vulnerability allows an authenticated user... (How to Fix)

Q: What is the severity of CVE-2024-24697?

CVE-2024-24697 has a CVSS score of 7.2 (HIGH). This vulnerability allows an authenticated user on a Windows system to escalate privileges by exploiting an untrusted search path in Zoom's 32-bit client. Attackers could gain higher system permissions than intended. Only users running 32-bit Zoom clients on Windows are affected.

📋 TL;DR

This vulnerability allows an authenticated user on a Windows system to escalate privileges by exploiting an untrusted search path in Zoom's 32-bit client. Attackers could gain higher system permissions than intended. Only users running 32-bit Zoom clients on Windows are affected.

💻 Affected Systems

Products:

Zoom Client for Windows

Versions: 32-bit versions prior to 5.17.11

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects 32-bit Zoom clients on Windows. 64-bit clients and other platforms are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains SYSTEM-level privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement.

🟠

Likely Case

Authenticated user elevates to administrator privileges, allowing installation of malware, configuration changes, or access to protected resources.

🟢

If Mitigated

With proper user privilege separation and endpoint protection, impact limited to user-level activities with no privilege escalation.

🌐 Internet-Facing: LOW - Requires local authenticated access, not directly exploitable over internet.

🏢 Internal Only: HIGH - Internal authenticated users can exploit to gain elevated privileges on their own or shared workstations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated local access. Exploitation likely involves DLL planting or search order hijacking techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.17.11 or later

Vendor Advisory: https://www.zoom.com/en/trust/security-bulletin/ZSB-24004/

Restart Required: Yes

Instructions:

1. Open Zoom client. 2. Click profile picture > Check for Updates. 3. Install update to version 5.17.11 or later. 4. Restart Zoom client. 5. Verify version in Settings > About.

🔧 Temporary Workarounds

Upgrade to 64-bit Zoom

windows

Migrate to 64-bit Zoom client which is not affected by this vulnerability

Download 64-bit installer from https://zoom.us/download

Restrict DLL loading

windows

Apply DLL search order hardening via Group Policy or registry

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zoom.exe" /v "CWDIllegalInDllSearch" /t REG_DWORD /d 0xffffffff /f

🧯 If You Can't Patch

Implement least privilege: Ensure users run with standard user accounts, not administrator privileges
Deploy application control policies to prevent unauthorized DLL loading and execution

🔍 How to Verify

Check if Vulnerable:

Check Zoom version: Open Zoom > Settings > About. If version is below 5.17.11 and architecture is 32-bit, system is vulnerable.

Check Version:

wmic product where "name like '%Zoom%'" get version

Verify Fix Applied:

Confirm Zoom version is 5.17.11 or later in Settings > About, and verify no unexpected DLLs load from user-writable directories.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs: Process creation from unusual locations, DLL loading from user directories by Zoom.exe
Zoom logs showing version below 5.17.11

Network Indicators:

Not applicable - local privilege escalation

SIEM Query:

EventID=4688 AND NewProcessName="*Zoom.exe" AND (ProcessCommandLine="*" OR ParentProcessName="*") | where Version < "5.17.11"

📊 Metadata

CVE ID: CVE-2024-24697

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-426

Published: February 14, 2024

Last Updated: November 21, 2024

🔗 References

https://www.zoom.com/en/trust/security-bulletin/ZSB-24004/ Vendor Advisory
https://www.zoom.com/en/trust/security-bulletin/ZSB-24004/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24697, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Meeting Software Development Kit by Zoom

Rooms by Zoom

Vdi Windows Meeting Clients by Zoom

Vdi Windows Meeting Clients by Zoom

Vdi Windows Meeting Clients by Zoom

Zoom by Zoom

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Upgrade to 64-bit Zoom

Restrict DLL loading

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities