CVE-2021-33907 - OpenCVE

The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Zoom	Meetings

Configuration 1 [-]

cpe:2.3:a:zoom:meetings:*:*:*:*:*:windows:*:*

References

Link	Resource
https://explore.zoom.us/en/trust/security/security-bulletin/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Zoom

Published: 2021-09-27T13:55:30

Updated: 2021-10-01T20:56:07

Reserved: 2021-06-07T00:00:00

Link: CVE-2021-33907

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-09-27T14:15:08.027

Modified: 2021-10-06T19:01:09.047

Link: CVE-2021-33907

JSON object: View

Redhat Information

No data.

CWE

CWE-295

{"containers": {"cna": {"affected": [{"product": "Zoom Client for Meetings for Windows", "vendor": "n/a", "versions": [{"status": "affected", "version": "All versions of the Zoom Client for Meetings for Windows before version 5.3.0"}]}], "descriptions": [{"lang": "en", "value": "The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context."}], "problemTypes": [{"descriptions": [{"description": "Improper Verification of Crypto Signature", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-01T20:56:07", "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", "shortName": "Zoom"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://explore.zoom.us/en/trust/security/security-bulletin/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@zoom.us", "ID": "CVE-2021-33907", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Zoom Client for Meetings for Windows", "version": {"version_data": [{"version_value": "All versions of the Zoom Client for Meetings for Windows before version 5.3.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Verification of Crypto Signature"}]}]}, "references": {"reference_data": [{"name": "https://explore.zoom.us/en/trust/security/security-bulletin/", "refsource": "MISC", "url": "https://explore.zoom.us/en/trust/security/security-bulletin/"}]}}}}, "cveMetadata": {"assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", "assignerShortName": "Zoom", "cveId": "CVE-2021-33907", "datePublished": "2021-09-27T13:55:30", "dateReserved": "2021-06-07T00:00:00", "dateUpdated": "2021-10-01T20:56:07", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zoom:meetings:*:*:*:*:*:windows:*:*", "matchCriteriaId": "47D1059A-DCEF-4068-8C98-87B3F7729A6C", "versionEndExcluding": "5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context."}, {"lang": "es", "value": "Zoom Client for Meetings para Windows en todas las versiones anteriores a 5.3.0, no comprueba correctamente la informaci\u00f3n del certificado usada para firmar los archivos .msi cuando se lleva a cabo una actualizaci\u00f3n del cliente. Esto podr\u00eda conllevar a una ejecuci\u00f3n de c\u00f3digo remota en un contexto con privilegios elevados"}], "id": "CVE-2021-33907", "lastModified": "2021-10-06T19:01:09.047", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-27T14:15:08.027", "references": [{"source": "security@zoom.us", "tags": ["Vendor Advisory"], "url": "https://explore.zoom.us/en/trust/security/security-bulletin/"}], "sourceIdentifier": "security@zoom.us", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}