CVE-2023-41884
📋 TL;DR
CVE-2023-41884 is an SQL injection vulnerability in ZoneMinder's watch.php component that allows attackers to execute arbitrary SQL commands. This affects ZoneMinder installations with the vulnerable WWW/AJAX/watch.php endpoint accessible. Attackers could potentially access, modify, or delete surveillance data and system information.
💻 Affected Systems
- ZoneMinder
📦 What is this software?
Zoneminder by Zoneminder
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the ZoneMinder database allowing data theft, surveillance footage manipulation, authentication bypass, and potential system takeover via subsequent attacks.
Likely Case
Unauthorized access to surveillance footage, camera configurations, and user data, potentially leading to privacy violations and system disruption.
If Mitigated
Limited impact with proper network segmentation, web application firewalls, and input validation controls in place.
🎯 Exploit Status
SQL injection vulnerabilities are typically easy to exploit with automated tools. The advisory suggests unauthenticated access is possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.36.34
Vendor Advisory: https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-2qp3-fwpv-mc96
Restart Required: Yes
Instructions:
1. Backup your ZoneMinder configuration and database
2. Update ZoneMinder to version 1.36.34 or later using your package manager or from source
3. Restart the ZoneMinder service
4. Verify the update was successful
🔧 Temporary Workarounds
Web Application Firewall
allDeploy a WAF with SQL injection protection rules to block malicious requests
Network Access Control
linuxRestrict access to ZoneMinder web interface to trusted networks only
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries in custom code
- Disable or restrict access to the WWW/AJAX/watch.php endpoint if not required
🔍 How to Verify
Check if Vulnerable:
Check ZoneMinder version: if below 1.36.34 and the web interface is accessible, the system is vulnerableCheck Version:
zmupdate.pl -v or check /usr/share/zoneminder/www/includes/version.phpVerify Fix Applied:
Verify ZoneMinder version is 1.36.34 or later and test the watch.php endpoint with SQL injection test payloads📡 Detection & Monitoring
Log Indicators:
- Unusual SQL syntax in web server logs
- Multiple failed SQL queries to watch.php
- Requests with SQL keywords in parameters
Network Indicators:
- Unusual traffic patterns to /zm/www/ajax/watch.php
- SQL injection payloads in HTTP requests
SIEM Query:
source="apache_access" OR source="nginx_access" AND (uri="*watch.php*" AND (query="*SELECT*" OR query="*UNION*" OR query="*OR 1=1*"))