Main Vulnerability Database SB2020042127

SB2020042127 - Multiple vulnerabilities in Zoom Client for Meetings

Published: April 21, 2020 Updated: June 30, 2020

Security Bulletin ID SB2020042127

CSH Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 vulnerabilities.

1) Security Features (CVE-ID: CVE-2020-11876)

CWE-ID: CWE-254 - Security Features

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

This vulnerability allows a remote attacker to bypass security rescritions feature.

The vulnerability exists due to the "airhost.exe" uses the SHA-256 hash of 0123425234234fsdfsdr3242 for initialization of an OpenSSL EVP AES-256 CBC context. A remote attacker can gain unauthorized access to the application.

2) Security Features (CVE-ID: CVE-2020-11877)

CWE-ID: CWE-254 - Security Features

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

This vulnerability allows a remote attacker to bypass security rescritions feature.

The vulnerability exists due to the "airhost.exe" uses 3423423432325249 as the Initialization Vector (IV) for AES-256 CBC encryption. A remote attacker can gain unauthorized access to the application.

Remediation

Install update from vendor's website.

References

https://dev.io/posts/zoomzoo/