Headline
CVE-2023-26035: Unauthenticated RCE in snapshots
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.
Critical
connortechnology published GHSA-72rg-h4vf-29gr
Feb 24, 2023
Package
zoneminder (ZoneMinder)
Affected versions
< 1.36.33, < 1.37.33
Patched versions
1.36.33, 1.37.33
Description
Impact
There’s no permissions check on https://github.com/ZoneMinder/zoneminder/blob/master/web/includes/actions/snapshot.php#L25 and https://github.com/ZoneMinder/zoneminder/blob/master/web/includes/actions/snapshot.php#L36 is expecting an id to fetch an existing monitor but you can pass an object to create a new one instead. TriggerOn ends up calling shell_exec here
zoneminder/web/includes/Monitor.php
Lines 782 to 783 in 371f1ad
$cmd = getZmuCommand($cmd.’ -m '.$this->{’Id’});
$output = shell_exec($cmd);
using the supplied Id
Patches
Fixed in 609b22a and 6ffd2bd aa495eda6be0f4d027283c6d5392e0c0dc07fb5d6.
We add validation to Monitor ID and require authentication before processing actions. In addition we validate Monitor ID before calling shell commands.
Workarounds
Apply patches manually.
Credit
UnblvR
Severity
Critical
10.0
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CVE ID
CVE-2023-26035
Weaknesses
No CWEs
Related news
ZoneMinder Snapshots versions prior to 1.37.33 suffer from an unauthenticated remote code execution vulnerability.