| Date of the premiere of the system: | 2002/09 |
| Last Release Date: | 2022/06 |
| Technology: | Video surveillance systems |
Main article: Open Source
ZoneMinder free software is for an organization video surveillances distributed under the GNU GPL.
2022: ZoneMinder Security Vulnerabilities 1.36.14
On June 28, 2022, Positive Technologies announced that their employee Ilya Yatsenko had discovered two vulnerabilities in the ZoneMinder open source video surveillance system. The product is used to build corporate security systems and install home video surveillance. The manufacturer has released update 1.36.16 to fix these vulnerabilities.
Issues identified in ZoneMinder version 1.36.14. The first and most dangerous vulnerability (9.1 points on the CVSS 3.0 scale) allows an attacker, when authenticating as an administrator, to perform remote code execution (RCE) on the site where the web application is running. As a result, the intruder can gain access to the internal network. In addition, after authentication, the attacker gains access to the video stream.
 | "This is a common free installation solution. Video surveillance system It is used both at home and in companies, including industrial enterprises. According to our estimates, the largest number of software users are in the USA, Poland, Italy, Germany, Luxembourg and Russia. In some cases, administrators allow you to connect to ZoneMinder without authentication, which is very dangerous: an attacker can use systems such as Shodan to search for sites available on the Internet with ZoneMinder installed, " told Ilya Yatsenko |  |
Access to video data can provide the attacker with information about the mode of operation of employees, security services and the internal structure of the building. If ZoneMinder is installed at home, there is a risk of reselling access to Darknet or including a video surveillance system in the directories of unprotected video cameras, for example Insecam. The service was created to demonstrate the importance of settings, safety but can also be used by criminals.
The second vulnerability (4.8 points on the CVSS 3.0 scale) is associated with the lack of pre-processing of user input in the ZoneMinder 1.36.14 web application. It is of the type Stored XSS and can lead to attackers gaining access to confidential information, such as user sessions, on the site where the web application is running.
According to the researcher, among the reasons for the appearance of such vulnerabilities can be both the inattention of developers when writing code, as well as the use of outdated technologies (non-updated versions of the language) and insufficiently thorough code review.
Traffic analysis - products of the NTA (network traffic analysis) class and industrial NTA, for example, PT Network Attack Discovery (PT NAD), will help to identify attempts to exploit vulnerabilities in the network in a timely manner.
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |