Multiple Vulnerabilities identified in ZoneMinder

Loginsoft-2019-1038
February 11, 2019

About Package

ZoneMinder is an open source surveillance software system provider which stands best in delivering the high standard state of art surveillance cameras and other related security solutions which mainly concentrate on functions like capturing, analyzing, recording and monitoring of CCTV or security cameras. ZoneMinder allows you monitor as you wish irrespective of the size and scope of the target environment. The application mainly concentrates on Home Security, Theft Prevention, Industrial and Commercial Security and also on Household security surveillance services.

Vulnerability Detected: Cross Site Scripting Attack (XSS)

CWE: 79

Impact: XSS attacks mainly focus on implanting the malicious code into the trusted websites which lays the path for the attacker to invade into the system with the help of implanted code upon execution.

Identified CVEs

CVE-2019-6990 CVE-2019-7332 CVE-2019-7341
CVE-2019-6992 CVE-2019-7333 CVE-2019-7342
CVE-2019-7325 CVE-2019-7334 CVE-2019-7343
CVE-2019-7326 CVE-2019-7335 CVE-2019-7344
CVE-2019-7327 CVE-2019-7336 CVE-2019-7345
CVE-2019-7328 CVE-2019-7337 CVE-2019-7346
CVE-2019-7329 CVE-2019-7338 CVE-2019-7348
CVE-2019-7330 CVE-2019-7339 CVE-2019-7349
CVE-2019-7331 CVE-2019-7340 CVE-2019-7352
Vulnerability Detected: Cross Site Request Forgery (CSRF)

CWE: 120

Impact: CSRF attack target the state changing requests and tries to force the end user to execute the unwanted or malicious code on the web application. These attacks also attract the victim user to perform the web actions as guided by the attacker such as changing the email address or password or even transferring the funds from one account to the other.

Identified CVEs

CVE-2019-7346

Vulnerability Detected: Log Injection

CWE: 74

Impact: Unvalidated user input data is injected into the log file, causing the addition of custom log events into the web page.

Identified CVEs

CVE-2019-7351

Vulnerability Detected: Session Fixation

CWE: 384

Impact: Attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim’s account.

Identified CVEs

CVE-2019-7350

Vulnerability Detected: Stack Overflow

CWE: 120

Impact: When the memory input exceeds the limit of the the stack an overflow occurs resulting in the data exploitation. This is high severity case as it tends to perform the arbitrary code execution or may cause Denial of Service.

Identified CVEs

CVE-2019-6991

Vulnerability Detected: TOCTOU Race Condition

CWE: 362

Impact: The TOCTOU vulnerability affects the system behavior and triggers the uncontrollable events as the sequence timing is exploited.

Identified CVEs

CVE-2019-7347

Timeline

Vendor Disclosure: 2019-01-24
Public Disclosure: 2019-02-11

Credit

Discovered by ACE Team – Loginsoft