CVE-2024-45418
📋 TL;DR
This vulnerability in Zoom macOS installers allows authenticated users to escalate privileges via symlink attacks when network access is available. It affects macOS users running Zoom apps before version 6.1.5. Attackers could potentially gain elevated privileges on affected systems.
💻 Affected Systems
- Zoom Client for macOS
- Zoom Meeting SDK for macOS
- Zoom Rooms for macOS
📦 What is this software?
Rooms by Zoom
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could gain root privileges on the macOS system, enabling complete system compromise, data theft, and persistence.
Likely Case
Local authenticated users could escalate to higher privileges, potentially installing malware, accessing restricted files, or modifying system configurations.
If Mitigated
With proper access controls and updated software, the risk is limited to authorized users who already have some level of system access.
🎯 Exploit Status
Exploitation requires authenticated access, knowledge of symlink attacks, and network connectivity to the target system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.5 or later
Vendor Advisory: https://www.zoom.com/en/trust/security-bulletin/zsb-24040/
Restart Required: Yes
Instructions:
1. Open Zoom application. 2. Click on your profile picture. 3. Select 'Check for Updates'. 4. If update available, click 'Update'. 5. Restart Zoom after installation completes.
🔧 Temporary Workarounds
Restrict network access to Zoom installer
macOSLimit network connectivity to Zoom installation directories to prevent symlink attacks via network
Implement strict file permissions
macOSSet restrictive permissions on Zoom installation directories to limit symlink creation
sudo chmod 755 /Applications/zoom.us.app
sudo chown root:wheel /Applications/zoom.us.app
🧯 If You Can't Patch
- Implement strict access controls to limit which users can run Zoom installer
- Monitor for suspicious symlink creation in Zoom installation directories
🔍 How to Verify
Check if Vulnerable:
Check Zoom version in application: Click profile picture → About Zoom. If version is below 6.1.5, system is vulnerable.Check Version:
/Applications/zoom.us.app/Contents/MacOS/zoom -vVerify Fix Applied:
Verify Zoom version is 6.1.5 or higher in About Zoom dialog. Check that symlink attacks in Zoom directories are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual symlink creation in Zoom directories
- Multiple failed privilege escalation attempts
- Zoom installer running with unexpected parameters
Network Indicators:
- Network connections to Zoom installation directories from unauthorized sources
- Unexpected network activity during Zoom updates
SIEM Query:
source="macos" AND (event="symlink_creation" AND path="*zoom*") OR (process="zoom" AND event="privilege_escalation")