Improper trust boundary implementation for SMB in Zoom Clients
CVE-2023-28597

7.5HIGH

Key Information:

Vendor
Zoom
Status
Zoom (for Android, iOS, Linux, Mac OS, And Windows)
Zoom Rooms (for Android, iOS, Linux, Mac OS, And Windows)
Zoom Vdi For Windows
Vendor
CVE Published:
27 March 2023

Summary

Zoom clients earlier than version 5.13.5 are impacted by a vulnerability related to improper trust boundary implementation. When users save local recordings to an SMB location and later access them via a link from the Zoom web portal, an attacker on an adjacent network may exploit this weakness. By establishing a malicious SMB server, the attacker can intercept client requests and inadvertently execute harmful executables on the client's device. This scenario poses significant risks, including unauthorized access to user data and the potential for remote code execution, highlighting the importance of maintaining up-to-date software for security.

Affected Version(s)

Zoom (for Android, iOS, Linux, macOS, and Windows) < 5.13.5

Zoom Rooms (for Android, iOS, Linux, macOS, and Windows) < 5.13.5

Zoom VDI for Windows < 5.13.10

References

https://explore.zoom.us/en/trust/security/security-bulletin/

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.