PT-2020-12632 · Zoom · Zoom Client For Meetings

Patrick Wardle

Published

2020-04-01

Updated

2021-07-21

CVE-2020-11470

CVSS v3.1

3.3

Low

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Zoom Client for Meetings versions 4.6.8 and earlier

Description The issue allows a local process to obtain unprompted microphone and camera access by loading a crafted library, thereby inheriting the Zoom Client's access. This is possible due to the disable-library-validation entitlement.

Recommendations For Zoom Client for Meetings versions 4.6.8 and earlier, consider updating to a version that does not have the disable-library-validation entitlement to prevent local processes from obtaining unprompted microphone and camera access. As a temporary workaround, consider restricting access to the microphone and camera for the Zoom Client to minimize the risk of exploitation.

Exploit

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345

Related Identifiers

CVE-2020-11470

Affected Products

Zoom Client For Meetings

PT-2020-12632 · Zoom · Zoom Client For Meetings

CVE-2020-11470

Weakness Enumeration

Related Identifiers

Affected Products

References · 5