Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-26035: Unauthenticated RCE in snapshots

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.

CVE
#web#linux#git#php#rce#auth

Critical

connortechnology published GHSA-72rg-h4vf-29gr

Feb 24, 2023

Package

zoneminder (ZoneMinder)

Affected versions

< 1.36.33, < 1.37.33

Patched versions

1.36.33, 1.37.33

Description

Impact

There’s no permissions check on https://github.com/ZoneMinder/zoneminder/blob/master/web/includes/actions/snapshot.php#L25 and https://github.com/ZoneMinder/zoneminder/blob/master/web/includes/actions/snapshot.php#L36 is expecting an id to fetch an existing monitor but you can pass an object to create a new one instead. TriggerOn ends up calling shell_exec here

zoneminder/web/includes/Monitor.php

Lines 782 to 783 in 371f1ad

$cmd = getZmuCommand($cmd.’ -m '.$this->{’Id’});

$output = shell_exec($cmd);

using the supplied Id

Patches

Fixed in 609b22a and 6ffd2bd aa495eda6be0f4d027283c6d5392e0c0dc07fb5d6.

We add validation to Monitor ID and require authentication before processing actions. In addition we validate Monitor ID before calling shell commands.

Workarounds

Apply patches manually.

Credit

UnblvR

Severity

Critical

10.0

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CVE ID

CVE-2023-26035

Weaknesses

No CWEs

Related news

ZoneMinder Snapshots Remote Code Execution

ZoneMinder Snapshots versions prior to 1.37.33 suffer from an unauthenticated remote code execution vulnerability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907