Zoom 5.6.10 Vulnerabilities with OpenSSL .dll need version 3.1.5

@donte.zoom - As mentioned elsewhere 3.1.4 is now widely in use but this still reports with tools such as Nessus and MDE that there are vulnerabilities in these binaries. It causes a lot of hassle when completing cyber security audits and other pieces of work.
Is there an ETA when the latest binaries will be used so that we can all move forwards?

@bradleyhampson , @haiminger007 , @MC_IT ,

Thanks for informing that OpenSSL vulnerabilities are still being reported in the binaries when using tools like Nessus and MDE. I’ll notify the team and update you on our findings. Meanwhile, if you have more information or need any clarification, feel free to reach out.

@bradleyhampson , @haiminger007 , @MC_IT

Could you provide a security scan showing that OpenSSL 3.1.4 in version 5.17.2 still has vulnerability reports? Sharing this information will help us investigate the issue further. Thank you.

Hi there, I can confirm that in the Zoom version 5.17.2.29988 Microsoft Defender for Endpoint still continues to report vulnerabilities for
CVE-2023-5678 in libcrypto-3-zm.dll v3.1.4 & libssl-3-zm.dll v3.1.4 . This is a medium severity vulnerability which upon looking into is related to a complex denial of service.
I wouldn’t say that this is critical but it would be nice to know the sort of timeline we can expect for updates to these binaries.

Any further updates on it? OpenSSL version 3.1.4 has notable vulnerabilities. Is there any information on when Zoom plans to upgrade to the more secure OpenSSL v3.1.5, addressing these concerns?

Tried the latest version and Using Zoom Meetings Client 5.17.5 (31030) (64-bit)
DisplayVersion 5.17.31030
Install source: https://cdn.zoom.us/prod/5.17.5.31030/x64/ZoomInstallerFull.msi

I can confirm that this version still utilises OpenSSL Version 3.1.4.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll

Release notes
https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0068823

@donte.zoom
We are unable to posted embedded images within the post. (Image Upload in the reply field gives the same error).

As posted many times above CVE-2023-5678 is patched in commit ddeb4b6 for OpenSSL 3.1.5, however the code can be backported and compiled. The push to clear CVE-2023-5678 would be to formally have Zoom utilise version 3.2.0.

Due to the fact they have not been posted on NIST and other sites yet, Zoom Meetings is also vulnerable to CVE-2023-6129 (see commit f3fc580 for OpenSSL 3.1.5) and CVE-2023-6237 (see commit a830f55 for OpenSSL 3.1.5).

All of the above is listed at [ Vulnerabilities ] - /news/vulnerabilities.html

No surprises here…

Tried the latest version and Using Zoom Meetings Client 5.17.7 (31859) (64-bit)
DisplayVersion 5.17.31859
https://cdn.zoom.us/prod/5.17.7.31859/x64/ZoomInstallerFull.msi

I can confirm that this version still utilises OpenSSL Version 3.1.4.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll

1 Like

In latest Zoom version 5.17,7, The vulnerable files are:

  • C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
  • C:\Program Files\Zoom\bin\libssl-3-zm.dll

In the file Properties > Details tab, it also confirms OpenSSL version is still 3.1.4

OpenSSL 3.1.5 now has a fully final rollup for all the outstanding CVE’s
See [ Downloads ] - /source/index.html

There should now be absolutely no reason not to issue an urgent roll-up from 3.1.4 to OpenSSL 3.1.5 or to OpenSSL 3.2.1

1 Like

This needs a Bump to not Auto-close its been unfixed since November 2023.

1 Like

What is going on in the land of Zooms Cyber Security?
Version 5.17.10 is now announced for upcoming release on the 26th of Feb yet the release notes state nothing regarding increasing OpenSSL dependencies.

When can the product expect a security fix?

This is unbelievable. Is the development team in some type of bubble? All of our networks are vulnerable because you cannot fix a simple openssl issue. If this is not fixed by the end of 1st quarter, we will be moving to another solution.

FIX THIS NOW!

I just have to post again, as this is NOT solved, and I know Virginia @VA advised the 3.1.5 CVE fixes were backported with @Borts 's internal comms.

When this was originally raised, Zooms implementation of OpenSSL was version 3.1.1 and there were 4x CVE’s with 3x of those fixed by upgrading the dependency to the released 3.1.4.
One of those CVE’s required a backport CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0).

The OpenSSL 3.1.4 was pulled from 5.17.1 (28914), and in turn was released on January 8, 2024 with version 5.17.2 (29988).

As such with @VA’s confirmation, this states that CVE-2023-5678 can be marked as backported in Zoom’s OpenSSL 3.1.4 compilation.

The very next day later from Zoom’s 5.17.2, On the 9th of January, OpenSSL declared CVE-2023-6129, Fixed in OpenSSL 3.1.5 (Affected since 3.1.0).
On the 15th of January CVE-2023-6237 is posted on OpenSSL’s site along with a git commit Fixed in OpenSSL 3.1.5 (Affected since 3.1.0).

Later on the 25th of January, OpenSSL posted CVE-2024-0727, Fixed in OpenSSL 3.1.5 (Affected since 3.1.0).

As all of these 3x additional CVE’s impacting 3.1.4 was declared AFTER the Zoom fix in the Zoom Changelogs, and the fact that no further details were declared by Zoom in the changelogs, I feel the community’s concerns about Zoom and their handling of this situation are entirely valid.

Based on the above, Zoom needs to make a statement of which CVE’s were backported, and the simplest method would be to patch the OpenSSL version to 3.1.5 which was formally released on the 30th of January.

March 2024 now looms and with the amount of Zoom attention on both the Community Post and Development Post, a fix should be issued promptly.

The line in Zoom’s February 26th Release Notes for Version 5.17.10 (33775) does not include the 3x CVE git commits backported to 3.1.4, and why would you, 3.1.5 was released the month prior.

2 Likes

Long Time View, first time poster.

Every month I’m having security review meetings and every month I’m having to say to Senior Management, No I can’t resolve these CVE’s Zoom still haven’t fixed their product and they sit there looking at me like I’m stupid and lying.

Not much longer until we just have to say no more and remove and block Zoom completely from our estate to ensure we keep ISO27001 accreditations

Special Thank you to the people at HelpdeskLCC and others, I’ve had this thread pinned for a while now, you constant updates on this has kept it alive, felt it was time to add the cause.

1 Like

Checked the upcoming releases, and sadly OpenSSL / security fixes are lacking from the release notes, Zoom needs to push to 3.1.5…

March 8, 2024 version 5.17.11
New and enhanced features
Simplified AI Companion consent notifications for hosts
When the meeting host initiates the meeting summary or meeting questions features, they will no longer see the consent prompt, and instead will see a simple toast notification along the top of the meeting window, which will disappear after a few seconds. Other meeting participants will see the consent notification as a prompt along the top of the meeting window, but must acknowledge the prompt before it will disappear.
Resolved Issues
Minor bug fixes
Resolved an issue regarding the first session of a recurring meeting not syncing properly from Outlook

1 Like

Confirmed Zoom Version 5.17.11 (34827) (64-bit) (8th March 2024) utilises the OpenSSL 3.1.4.

2 Likes

Zoom 5.7.11 deployed to users.

Still flagging CVE’s for 3.1.4

1 Like

@donte.zoom do you have any update regarding this OpenSSL vulnerability? Even just an estimated date for remediation? thanks

1 Like

@donte.zoom guys what is going on here? how are we still talking about this a half year later?

i don’t think a competitor could have dreamt up a more optimal scenario to scare the leadership suits away from your offering to their secure offering.

optics matter
openness and communication matter. there is nowhere official posted about the status of this and any mitigations and backports. and no some random post on a forum thread doesn’t count because we can’t verify anything about that.
total lack of response of urgency matters

this is what people in decision making roles will remember the next time they have to choose a solution in the collaboration space

3 Likes