Zoom and Splunk Patch Critical RCE and PE Vulnerabilities

Software providers Splunk and Zoom have released security advisories to address multiple security vulnerabilities that could lead to RCE and Privilege Escalation on Windows-based systems. According to SecurityWeek, these updates fix flaws that, if exploited, allow attackers to execute arbitrary shell commands or access sensitive data. Organizations using these platforms are advised to prioritize these updates to prevent potential compromise of their corporate environments.

Technical Analysis of CVE-2024-36985: Splunk Enterprise 9.2.2 Patch Guidance

The most significant vulnerability addressed by Splunk is CVE-2024-36985, which carries a high-severity CVSS score of 8.8. This specific flaw affects Splunk Enterprise running on Windows and stems from the way the application processes search commands. An authenticated attacker can submit a specially crafted search request that triggers the execution of arbitrary code within the context of the user running the service.

Security teams should focus on Splunk Enterprise 9.2.2 patch guidance as the primary means of remediation. In addition to RCE, Splunk patched CVE-2024-36984, a medium-severity CVE involving path traversal in the splunkd process. This vulnerability allows an authenticated attacker to perform a privilege escalation, potentially gaining higher-level system access. To support detection efforts, defenders should research how to detect CVE-2024-36985 exploit attempts by monitoring search logs for unusual characters or attempts to invoke system-level shell commands from within the Splunk interface.

Deep Dive into Zoom Desktop Client Vulnerabilities

Zoom has addressed a critical-severity vulnerability, CVE-2024-24691, which has a CVSS score of 9.6. This flaw is caused by improper input validation in several Zoom components, including the Zoom Desktop Client for Windows, the VDI Client, and several Windows-based Software Development Kits (SDKs). Exploitation of this vulnerability allows an attacker to execute arbitrary shell commands on the target system, potentially leading to full system takeover.

Furthermore, Zoom disclosed and patched CVE-2024-24697 (CVSS 7.2) and CVE-2024-24699 (CVSS 7.5). The former is a privilege escalation flaw, while the latter is an information disclosure vulnerability that could allow an attacker to read data they are not authorized to access. Implementing a Zoom Desktop Client Windows RCE mitigation strategy requires organizations to ensure that all endpoints are running version 5.17.0 or higher. For SOC analysts, this emphasizes the importance of maintaining an accurate asset inventory to ensure that specialized VDI clients and custom-integrated SDKs are not overlooked during the patching cycle.

Remediation and Mitigation Steps

The following actions are recommended for all affected organizations:

• Splunk Enterprise: Update Windows installations to version 9.2.2, 9.1.5, or 9.0.10. While the RCE vulnerability specifically impacts Windows, Splunk has released these updates across platforms to maintain parity and security baseline standards.
• Zoom Client: Update Zoom Desktop Client for Windows, Zoom VDI Client, and Zoom SDKs to version 5.17.0 or later. Organizations should use centralized management tools to force these updates on remote endpoints.
• Monitoring: Update SIEM and EDR signatures to detect unusual process spawns from splunkd.exe or zoom.exe. Specifically, monitor for cmd.exe or powershell.exe being initiated as child processes of these applications, which may indicate an exploit attempt.