CVE-2024-43360
📋 TL;DR
ZoneMinder CCTV software contains a time-based SQL injection vulnerability (CWE-89) that allows attackers to execute arbitrary SQL commands by manipulating time-based parameters. This affects all ZoneMinder installations below patched versions, potentially enabling database compromise. The vulnerability is critical with a CVSS score of 9.8.
💻 Affected Systems
- ZoneMinder
📦 What is this software?
Zoneminder by Zoneminder
Zoneminder by Zoneminder
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, authentication bypass, remote code execution via database functions, and full system takeover.
Likely Case
Database information disclosure, privilege escalation, and potential authentication bypass allowing unauthorized access to CCTV feeds and system controls.
If Mitigated
Limited impact if database runs with minimal privileges, input validation exists elsewhere, or network segmentation prevents exploitation.
🎯 Exploit Status
Time-based SQL injection typically requires minimal technical skill to exploit. The advisory suggests unauthenticated access is possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.36.34 or 1.37.61
Vendor Advisory: https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-9cmr-7437-v9fj
Restart Required: Yes
Instructions:
1. Backup your ZoneMinder configuration and database. 2. Update ZoneMinder using your package manager or from source. 3. Restart the ZoneMinder service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block exploitation attempts.
Network Segmentation
linuxRestrict access to ZoneMinder web interface to trusted networks only.
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit ZoneMinder web interface access to authorized users only.
- Deploy database monitoring to detect SQL injection attempts and unusual database queries.
🔍 How to Verify
Check if Vulnerable:
Check ZoneMinder version via web interface or command line. Versions below 1.36.34 or 1.37.61 are vulnerable.Check Version:
zmdc.pl versionVerify Fix Applied:
Confirm ZoneMinder version is 1.36.34 or higher (1.36.x branch) or 1.37.61 or higher (1.37.x branch).📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests with time-based parameters in web server logs
- Error messages containing SQL syntax
Network Indicators:
- HTTP requests with SQL injection patterns in parameters
- Unusual timing patterns in web requests
SIEM Query:
source="web_logs" AND (url="*SLEEP(*" OR url="*WAITFOR(*" OR url="*BENCHMARK(*" OR url="*pg_sleep(*")🔗 References
- https://github.com/ZoneMinder/zoneminder/commit/677f6a31551f128554f7b0110a52fd76453a657a
- https://github.com/ZoneMinder/zoneminder/commit/a194fe81d34c5eea2ab1dc18dc8df615fca634a6
- https://github.com/ZoneMinder/zoneminder/commit/bb07118118e23b5670c2c18be8be2cc6b8529397
- https://github.com/ZoneMinder/zoneminder/commit/de8f387207e9c506e8e8007eda725741a25601c5
- https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-9cmr-7437-v9fj
