cancel
Showing results for 
Search instead for 
Did you mean: 

OpenSSL Vulnerability - Zoom Meetings uses old version 3.1.1

lcchelpdesk
Listener

I raised this on the dev forum hoping it would have reached the right set of eyes.

https://devforum.zoom.us/t/zoom-5-6-10-vulnerabilities-with-openssl-dll-need-version-3-1-5/98806/1

 

However, following a Search all prior reports of vulnerabilities have been placed within Zoom Community.

 

Using Zoom Meetings Client 5.16.10 (26186)
Microsoft Defender flags as vulnerable for
CVE-2023-4807 CVSS 6.2,
CVE-2023-5363 CVSS 5.9,
CVE-2023-3817 CVSS 3.7,
CVE-2023-5678 CVSS 3.7,

Install source: https://zoom.us/client/5.16.10.26186/ZoomInstallerFull.exe?archType=x64

Detected files
c:\program files\zoom\bin\libcrypto-3-zm.dll
c:\program files\zoom\bin\libssl-3-zm.dll
OpenSSL Version 3.1.1.0

Recommended course of action, upgrade to OpenSSL Version 3.1.5 or 3.2.0

Updating to 3.1.4 would still leave CVE-2023-5678


https://www.openssl.org/news/vulnerabilities.html

CVE-2023-4807, Fixed in OpenSSL 3.1.3 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5

CVE-2023-5363 , Fixed in OpenSSL 3.1.4 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee

CVE-2023-3817, Fixed in OpenSSL 3.1.2 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5

CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6

1 ACCEPTED SOLUTION

Frank_TB
Community Champion | Customer
Community Champion | Customer

Hello,

 

Release notes for December 27, 2023

 

New and enhanced features

  • General features
    • Update to OpenSSL 3.1.4 - Linux, Android, iOS
      Due to the recently disclosed vulnerabilities with lower versions of OpenSSL, the Zoom client is updated to use OpenSSL 3.1.4. Depending on your network security configuration, you may also need to update your network infrastructure devices’ firmware.

      https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0073685 

Regards,

 

If my reply helped, don't forget to click the accept as solution button!

View solution in original post

35 REPLIES 35

CompblCPS
Listener

Microsoft Defender 365 Vulnerability scans are showing every machine with 5.16.10 as vulnerable due to OpenSSL 3.1.1.1 use…

Need to be updated to 3.1.5 or newer ASAP

LCalrissian
Listener

Thank you so much for pointing this out.  I am seeing this same issue.

 

Disappointingly, Nessus vulnerability scanners are not picking up on this vulnerability 😞

dbrowna2bf
Listener

We have this vulnerability on almost every machine in our environment because Zoom seemingly doesn't care that their platform is vulnerable. I'm pretty disgusted, to say the least. I'll be using this example, and many others, to convince our CEO to let me migrate to Microsoft Teams instead.

Jigsaw428
Listener

Fact Check True
They need to have this updated ASAP

OutWest
Listener

This is not just Zoom.

The Microsoft PowerBI Desktop client also has an out of date OpenSSL version as well as several other vendors.
I tried to replace the out of date libssl-3-x64.dll and libcrypto-3-x64.dll across the machines in our domain, but Zoom signed their version of the dll files, and refuses to start with the updated dll files. Good for them for signing them, not something many other vendors do. On the flip side, they should have this patched and up to date already. 
Microsoft's Cloud Defender agent for Linux (mdatp) is running a curl version that is showing as critical. Microsoft chooses to hide this on their vulnerability scans, Tenable found it.
This is not just a Zoom problem, but an industry problem with these critical open source dependencies. 
 

Dash1977
Listener

Zoom 5.17 just released, but still has the 3.1.1 OpenSSL. I think we're just going to have to discontinue Zoom use and uninstall the app agency wide until it's resolved. 

dbrowna2bf
Listener

I really wish we could just drop Zoom, but my boss hates Teams so we are pretty much stuck with a vulnerability on every one of our workstations. At least it isn't on any of our servers, but the workstations connect to our servers... This bad.

lcchelpdesk
Listener

Tried the latest version and Using Zoom Meetings Client 5.17.0 (28375)
DisplayVersion 5.17.28375
Install source: https://zoom.us/client/5.17.0.28375/ZoomInstallerFull.msi?archType=x64

 

I can confirm that this version still utilises OpenSSL Version 3.1.1.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll

lcchelpdesk
Listener

Tried the latest version and Using Zoom Meetings Client 5.17.1 (28914) (64-bit)
DisplayVersion 5.17.28914
Install source: https://cdn.zoom.us/prod/5.17.1.28914/x64/ZoomInstallerFull.msi

I can confirm that this version still utilises OpenSSL Version 3.1.1.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll

OutWest
Listener

Still an issue. Zoom, please get this updated with a current version of OpenSSL. If you are doing a custom patch to the version you are running and consider this OK, please don't. We have no way of verifying compliance and this throws off our necessary reporting and patch management. 

I had a meeting with our I.T. security team. We’re going to do a mass uninstall next week and instruct users to use the web only version from now on. 

Frank_TB
Community Champion | Customer
Community Champion | Customer

Hello,

 

Release notes for December 27, 2023

 

New and enhanced features

  • General features
    • Update to OpenSSL 3.1.4 - Linux, Android, iOS
      Due to the recently disclosed vulnerabilities with lower versions of OpenSSL, the Zoom client is updated to use OpenSSL 3.1.4. Depending on your network security configuration, you may also need to update your network infrastructure devices’ firmware.

      https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0073685 

Regards,

 

If my reply helped, don't forget to click the accept as solution button!

Lower down in those same release notes....

 

Note: The Update to OpenSSL 3.1.4 enhancement for Windows and macOS has been pulled from release and will be available in another upcoming release. 

I suspect it's probably because OpenSSL 3.1.4 has a vulnerability as well. 3.2.0 appears to be the only current version of OpenSSL without the CVE-2023-5678 vulnerability. 

I'm sorry but this is not a viable solution.

the latest version for windows released on 23.1.2024 still contains these files:

 

c:\program files\zoom\bin\libssl-3-zm.dll , which contains openssl v3.1.4

and the zoom outlook plugin:
c:\program files (x86)\zoom\zoom outlook plugin\x64\libcrypto-3-zm.dll 
c:\program files (x86)\zoom\zoom outlook plugin\libcrypto-3-zm.dll

Both these file still have openssl v3.1.1

 

Zoom should move to use openssl v3.2. A much bigger problem is also in the ZOOM VDI version. it updates only one in 3 months!. I indeed dont need a new feature from Zoom for this enviornment every 2 weeks, But come on - securiry patches should be released ASAP!

The release notes posted are for Linux, Android and iOS. The concern raised is in reference to the Windows client, which still hasn't been updated.

We have done the same.  Zoom client mass uninstalled and blocked via Applocker policies.

 

We have also deployed a custom browser extension to transparently redirect Zoom meeting links to use their web client.  It just works.

DalongChen
Listener

We plan to upgrade to OpenSSL 3.1.4 in zoom client 5.17.5. Thanks.

OpenSSL 3.1.4 contains the vulnerability as well. A newer version than 3.1.4 will need to be implemented instead. 

lcchelpdesk
Listener

Hi all,

Release notes for the Zoom Client show that version 5.17.2 should be released in the next 24 hours.
https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0073791

https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0068823
January 8, 2024 version 5.17.2

New and enhanced features
General features
Update to OpenSSL 3.1.4 - Windows, macOS
Due to the recently disclosed vulnerabilities with lower versions of OpenSSL, the Zoom client is updated to use OpenSSL 3.1.4. Depending on your network security configuration, you may also need to update your network infrastructure devices’ firmware.
Resolved Issues
Minor bug fixes

As they are only patching to 3.1.4 (but the commit in 3.15 could have been included).
Microsoft Defender flags will now only flag Zoom Meetings vulnerable for
CVE-2023-5678 CVSS 3.7.
CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6

We can now all await Zoom to update to OpenSSL Version 3.2.0

dbrowna2bf
Listener

I don't know if the update to address this works properly. Now we are on Zoom version 5.17.5 and our users continue to experience major issues with Zoom just closing without any error code or commonality. Just randomly closes. As usual, Zoom Support is of no real help.

lcchelpdesk
Listener

Tried the latest version and Using Zoom Meetings Client 5.17.5 (31030) (64-bit)
DisplayVersion 5.17.31030
Install source: https://cdn.zoom.us/prod/5.17.5.31030/x64/ZoomInstallerFull.msi

 

I can confirm that this version still utilises OpenSSL Version 3.1.4.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll

 

Release notes
https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0068823

lcchelpdesk
Listener

I know someone marked this as Solved, but it was not I (the original ticket creator).

 

Zoom Meetings Client 5.17.5 (31030)
OpenSSL 3.1.4 flags as vulnerable for
CVE-2024-0727
CVE-2023-6237
CVE-2023-6129 CVSS 6.5
CVE-2023-5678 CVSS 5.3
https://www.openssl.org/news/vulnerabilities.html

 

All have commits for 3.1.5 and 3.2.1

dbrowna2bf
Listener

Zoom support has been pulling shady stuff lately. They likely closed this because they are getting too much negative attention. You can't trust Zoom to do the right thing.

lcchelpdesk
Listener

No surprises here...

Tried the latest version and Using Zoom Meetings Client 5.17.7 (31859) (64-bit)
DisplayVersion 5.17.31859
https://cdn.zoom.us/prod/5.17.7.31859/x64/ZoomInstallerFull.msi

 

I can confirm that this version still utilises OpenSSL Version 3.1.4.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll

 

Release notes
https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0068823

lcchelpdesk
Listener

OpenSSL 3.1.5 now has a fully final rollup for all the outstanding CVE’s
See openssl.org/source/

There should now be absolutely no reason not to issue an urgent roll-up from 3.1.4 to OpenSSL 3.1.5 or to OpenSSL 3.2.1

Frank_TB
Community Champion | Customer
Community Champion | Customer

Hello,

 

I opened a Zoom support ticket regarding OpenSSL 3.15 / 3.21

 

 

Zoom Support ticket TS0514340

 

Regards

If my reply helped, don't forget to click the accept as solution button!

PaulB10000
Listener

Hi,

 

Is there an update to when 3.1.5 or above will be implemented into the new Zoom installer?

 

This thread is marked as "solved" for 3.1.4 - but that version is still vulnerable.

This needs a Bump to not Auto-close its been unfixed since November 2023.

lcchelpdesk
Listener

What is going on in the land of Zoom's Cyber Security?


Version 5.17.10 is now announced for upcoming release on the 26th of Feb yet the release notes state nothing regarding increasing OpenSSL dependencies.

 

When can the product expect a security fix?

@lcchelpdesk The latest Zoom client utilizes security fixes addressed in OpenSSL 3.1.5 and is packaged with version 3.1.4. Since Microsoft Defender only detects OpenSSL 3.1.4 and not our custom fix, it outputs a warning. Once OpenSSL 3.1.5 is available as a stable release, Zoom plans to adopt this version into the Zoom apps and that change will be called out in our official release notes. Thank you to @Bort for researching this internally!


Virginia (she/her/hers)
Zoom Community Team
Have you heard of Zoom AI Companion?

Thank you so much, VA for confirming the git commits were backported into the Zoom compile of 3.1.4.
From my post on the 1st of Feb, 3.1.5 was released in full on the 30th of January, hence PaulB10000 chase up with the same on the 14th of Feb and my last chase on the 22nd.
Now that it is confirmed, we can finally file an exemption against 3.1.4 for the current CVE's.

 

Thank you to all involved and still hope to see 3.1.5 in an upcoming release shortly.

Echoing the other user. 3.1.5 is released as stable, please work on a more easier to understand fix as this post you made is literally the only documentation available about this. It makes for a terrible story when looking to make security stakeholders aware of what the current state of the risk situation is.

 

 

I realize this is not your decision but the time to properly address this, and lack of any kind of communication, is absolutely embarrassing for a company of Zooms funding and size. We're not very far from the Zoom security failures of the early Covid days, this just reinforces that perhaps things did not change as much as the marketing teams would like us to think so.

Here here! ...or hear hear? ...or is it hear here?

dbrowna2bf
Listener

This isn't "solved", you just have a temporary workaround. Why does it keep getting marked solved?