CVE-2023-26034
📋 TL;DR
ZoneMinder versions before 1.36.33 and 1.37.33 contain a SQL injection vulnerability in the filter query parameter. Attackers with View or Edit permissions can execute arbitrary SQL commands, potentially leading to data theft, authentication bypass, or remote code execution. This affects all ZoneMinder installations using vulnerable versions.
💻 Affected Systems
- ZoneMinder
📦 What is this software?
Zoneminder by Zoneminder
Zoneminder by Zoneminder
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Unauthorized data access and modification of surveillance footage and system configurations.
If Mitigated
Limited impact if proper input validation and least privilege access controls are implemented.
🎯 Exploit Status
Exploitation requires valid user credentials with View or Edit permissions. SQL injection is well-documented and easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.36.33 or 1.37.33
Vendor Advisory: https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-222j-wh8m-xjrx
Restart Required: Yes
Instructions:
1. Backup your ZoneMinder configuration and database. 2. Update ZoneMinder to version 1.36.33 or 1.37.33 using your package manager or from source. 3. Restart the ZoneMinder service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Filter
linuxImplement web application firewall rules or input validation to block SQL injection patterns in the filter parameter.
# Example mod_security rule: SecRule ARGS:filter "@detectSQLi" "id:1001,phase:2,deny,status:403"
🧯 If You Can't Patch
- Restrict network access to ZoneMinder interface to trusted IPs only using firewall rules.
- Implement strict least privilege access controls and monitor for unusual SQL queries in database logs.
🔍 How to Verify
Check if Vulnerable:
Check ZoneMinder version via web interface or command line. If version is below 1.36.33 or 1.37.33, it is vulnerable.Check Version:
zmupdate.pl --version or check web interface footerVerify Fix Applied:
Confirm ZoneMinder version is 1.36.33 or higher (stable) or 1.37.33 or higher (development). Test the filter parameter with SQL injection payloads to ensure they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by filter parameter exploitation
Network Indicators:
- HTTP requests containing SQL keywords in filter[Query][terms][0][attr] parameter
SIEM Query:
source="web_logs" AND uri_path="/zm/index.php" AND query_string="*filter*" AND (query_string="*SELECT*" OR query_string="*UNION*" OR query_string="*OR*1=1*")