CVE-2023-26035
📋 TL;DR
ZoneMinder versions before 1.36.33 and 1.37.33 have an unauthenticated remote code execution vulnerability. Attackers can execute arbitrary commands on the server without authentication by exploiting missing authorization checks in the snapshot functionality. All ZoneMinder installations using vulnerable versions are affected.
💻 Affected Systems
- ZoneMinder
📦 What is this software?
Zoneminder by Zoneminder
Zoneminder by Zoneminder
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal data, pivot to other systems, or establish persistent access.
Likely Case
Attackers gain shell access to the ZoneMinder server, potentially compromising camera feeds, system data, and using the server for further attacks.
If Mitigated
If properly segmented and monitored, impact limited to the ZoneMinder application server with no lateral movement.
🎯 Exploit Status
Public exploit code available on Packet Storm. Simple HTTP request with crafted parameters triggers command injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.36.33 or 1.37.33
Vendor Advisory: https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr
Restart Required: Yes
Instructions:
1. Backup current ZoneMinder configuration and database. 2. Update ZoneMinder to version 1.36.33 or 1.37.33 using your distribution's package manager or from source. 3. Restart ZoneMinder service: sudo systemctl restart zoneminder. 4. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to ZoneMinder web interface to trusted IP addresses only.
# Example iptables rule: sudo iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
# Example iptables rule: sudo iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
Web Application Firewall
linuxDeploy WAF rules to block malicious requests to snapshot endpoints.
# ModSecurity rule example: SecRule ARGS:id "@rx [^a-zA-Z0-9_-]" "id:1001,phase:2,deny,msg:'ZoneMinder RCE attempt'"
# nginx location block: location ~* /zm/cgi-bin/nph-zms { deny all; }
🧯 If You Can't Patch
- Immediately isolate ZoneMinder server from internet and restrict network access to necessary IPs only.
- Implement strict monitoring for unusual process execution or network connections from ZoneMinder server.
🔍 How to Verify
Check if Vulnerable:
Check ZoneMinder version via web interface or command: dpkg -l | grep zoneminder or rpm -qa | grep zoneminder. If version is below 1.36.33 or 1.37.33, system is vulnerable.Check Version:
dpkg -l | grep zoneminder # Debian/Ubuntu
rpm -qa | grep zoneminder # RHEL/CentOS
cat /usr/share/zoneminder/includes/version.php # Source installVerify Fix Applied:
After update, verify version shows 1.36.33 or higher (1.36.x branch) or 1.37.33 or higher (1.37.x branch). Test snapshot functionality with legitimate requests.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /zm/cgi-bin/nph-zms or snapshot endpoints
- Shell commands in ZoneMinder logs containing user-supplied input
- Unexpected process execution from www-data or ZoneMinder user
Network Indicators:
- HTTP requests with shell metacharacters in parameters
- Outbound connections from ZoneMinder server to unusual destinations
- Multiple failed exploit attempts to snapshot endpoints
SIEM Query:
source="zoneminder.log" AND ("shell_exec" OR "id=" AND ("|" OR ";" OR "$" OR "`"))🔗 References
- http://packetstormsecurity.com/files/175675/ZoneMinder-Snapshots-Command-Injection.html
- https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr
- http://packetstormsecurity.com/files/175675/ZoneMinder-Snapshots-Command-Injection.html
- https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr
