CVE-2024-24697 Overview
CVE-2024-24697 is an untrusted search path vulnerability affecting Zoom 32-bit Windows clients that may allow an authenticated user to conduct an escalation of privilege via local access. This vulnerability falls under CWE-426 (Untrusted Search Path), a class of flaws where an application searches for libraries or executables in directories that may be under the control of an attacker.
Critical Impact
Local attackers with authenticated access can exploit this vulnerability to escalate privileges on affected Windows systems running 32-bit Zoom clients, potentially gaining elevated permissions to execute malicious code.
Affected Products
- Zoom Meeting Software Development Kit for Windows
- Zoom Rooms
- Zoom VDI Windows Meeting Clients
- Zoom Desktop Client for Windows (32-bit)
Discovery Timeline
- 2024-02-14 - CVE-2024-24697 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-24697
Vulnerability Analysis
This untrusted search path vulnerability exists in the 32-bit versions of various Zoom Windows clients. The flaw stems from how the application searches for and loads dynamic-link libraries (DLLs) or executables during runtime. When an application doesn't specify the full path to required libraries, Windows follows a predetermined search order to locate them. If an attacker can place a malicious DLL in one of the earlier search locations, the application will load the attacker's code instead of the legitimate library.
The local attack vector requires an authenticated user to have access to the target system. Once an attacker achieves local access, they can exploit this vulnerability to elevate their privileges, potentially gaining administrative or SYSTEM-level access depending on the context in which the Zoom client runs.
Root Cause
The root cause of CVE-2024-24697 is improper handling of the DLL search path in the affected Zoom 32-bit Windows applications. The vulnerable components fail to use absolute paths when loading libraries, or do not properly validate that loaded libraries originate from trusted locations. This allows an attacker to perform DLL hijacking by placing a malicious library in a location that Windows searches before the legitimate library directory.
Attack Vector
The attack requires local access to a system running an affected Zoom 32-bit Windows client. An authenticated attacker can exploit this vulnerability by:
- Identifying directories in the application's DLL search path that are writable by the attacker
- Placing a malicious DLL with the same name as a legitimately required library in one of these directories
- Triggering the Zoom application to load the malicious DLL, which executes with the privileges of the Zoom process
- Leveraging the elevated context to perform further malicious actions on the system
The attack does not require user interaction beyond the normal operation of the Zoom client, making it particularly dangerous in enterprise environments where Zoom is widely deployed.
Detection Methods for CVE-2024-24697
Indicators of Compromise
- Unexpected DLL files appearing in user-writable directories such as %TEMP%, the current working directory, or application directories
- Zoom processes loading libraries from non-standard locations outside the official Zoom installation directory
- Unusual process behavior or child processes spawned by Zoom client executables
- Windows event logs showing DLL load failures followed by loads from unexpected paths
Detection Strategies
- Monitor file system activity for DLL creation in directories commonly targeted for DLL hijacking attacks
- Implement application whitelisting to prevent unauthorized executables and libraries from running
- Use endpoint detection and response (EDR) solutions like SentinelOne to detect anomalous DLL loading behavior
- Enable Windows Defender Application Control (WDAC) or AppLocker policies to restrict DLL loading
Monitoring Recommendations
- Configure audit policies to log DLL load events (Event ID 7 in Sysmon)
- Monitor Zoom installation directories for unauthorized modifications or new file creation
- Track process creation events for Zoom executables to identify suspicious child processes
- Review Windows Security logs for privilege escalation indicators following Zoom process execution
How to Mitigate CVE-2024-24697
Immediate Actions Required
- Update all affected Zoom clients to the latest patched versions as specified in Zoom Security Bulletin ZSB-24004
- Migrate from 32-bit Zoom clients to 64-bit versions where possible
- Restrict user write permissions in directories within the application's DLL search path
- Implement application control policies to prevent loading of unauthorized DLLs
Patch Information
Zoom has released security patches addressing this vulnerability. Organizations should consult the Zoom Security Bulletin ZSB-24004 for specific version information and update guidance. The patch ensures that Zoom clients properly validate library paths and load DLLs only from trusted, secure locations.
Affected products requiring updates include:
- Zoom Meeting SDK for Windows
- Zoom Rooms for Windows
- Zoom VDI Windows Meeting Clients
- Zoom Desktop Client for Windows (32-bit)
Workarounds
- Remove write permissions from directories in the Windows DLL search path where possible
- Use Group Policy to configure SafeDllSearchMode to exclude the current working directory from the search path
- Deploy SentinelOne or similar EDR solutions to detect and block DLL hijacking attempts in real-time
- Consider temporarily restricting Zoom usage to 64-bit clients until patches can be applied to 32-bit deployments
# Windows Group Policy configuration to enable SafeDllSearchMode
# Run in elevated command prompt
reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
