CVE-2024-43360: SQLi Flaw Discovered in Popular Surveillance Software ZoneMinder

by do son · August 15, 2024

ZoneMinder, a widely used open-source video surveillance solution, has been found to contain a critical SQL injection vulnerability that could allow attackers to gain unauthorized access to sensitive data and potentially take control of affected systems.

The Vulnerability (CVE-2024-43360)

The vulnerability, tracked as CVE-2024-43360, has been assigned a CVSS score of 9.8, indicating its high severity. It affects ZoneMinder versions 1.36.33 and 1.37.43 and stems from improper sanitization of user input in the “sort” and “mid” parameters of the “/zm/index.php” endpoint.

http://host:port/zm/index.php?sort=**if(now()=sysdate()%2Csleep(6)%2C0)**&order=desc&limit=20&view=request&request=watch&mid=1

http://host:port/zm/index.php?limit=20&mid=-1%20OR%203*2*1=6%20AND%20000322=000322&order=desc&request=watch&sort=Id&view=request

An attacker can exploit this vulnerability to execute malicious SQL queries, potentially leading to:

Data theft: Unauthorized access to sensitive information, including video footage, user credentials, and system configurations
Data manipulation: Modification or deletion of data, leading to potential repudiation issues
System compromise: Complete takeover of the affected ZoneMinder system, allowing the attacker to execute arbitrary code

Affected Versions and Patch

Affected versions: ZoneMinder versions prior to 1.36.34 and 1.37.43
Patch version: ZoneMinder 1.36.34

Recommendations

All ZoneMinder users must update their installations to the latest patched version immediately.

Additionally, users should:

Monitor their systems: Keep a close eye on system logs for any suspicious activity.
Review security configurations: Ensure that ZoneMinder is properly configured with strong passwords and access controls.
Consider professional assistance: If you are unsure how to update or secure your ZoneMinder installation, seek help from a qualified security professional.