Advisories » MGASA-2017-0162

Updated zoneminder packages fix security vulnerability

Publication date: 09 Jun 2017
Modification date: 09 Jun 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-10140 , CVE-2016-10201 , CVE-2016-10202 , CVE-2016-10203 , CVE-2016-10204 , CVE-2016-10205 , CVE-2016-10206 , CVE-2017-5367 , CVE-2017-5368 , CVE-2017-5595 , CVE-2017-7203

Description

This update fixes the following security issues:

Information disclosure and authentication bypass vulnerability exists in
the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and
v1.29, which allows a remote unauthenticated attacker to browse all
directories in the web root, e.g., a remote unauthenticated attacker can
view all CCTV images on the server via the /events URI. (CVE-2016-10140)

Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier
allows remote attackers to inject arbitrary web script or HTML via the
format parameter in a download log request to index.php. (CVE-2016-10201)

Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier
allows remote attackers to inject arbitrary web script or HTML via the
path info to index.php. (CVE-2016-10202)

Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier
allows remote attackers to inject arbitrary web script or HTML via the
name when creating a new monitor. (CVE-2016-10203)

SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote
attackers to execute arbitrary SQL commands via the limit parameter in a
log query request to index.php. (CVE-2016-10204)

Session fixation vulnerability in Zoneminder 1.30 and earlier allows
remote attackers to hijack web sessions via the ZMSESSID cookie.
(CVE-2016-10205)

Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and
earlier allows remote attackers to hijack the authentication of users for
requests that change passwords and possibly have unspecified other impact
as demonstrated by a crafted user action request to index.php.
(CVE-2016-10206)

Multiple reflected XSS vulnerabilities exist within form and link input
parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web
application, which allows a remote attacker to execute malicious scripts
within an authenticated client's browser. The URL is /zm/index.php and
sample parameters could include action=login&view=postlogin[XSS]
view=console[XSS] view=groups[XSS]
view=events&filter[terms][1][cnj]=and[XSS]
view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS]
view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and
view=events&limit=1%22%3E%3C/a%3E[XSS] (among others). (CVE-2017-5367)

ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is
vulnerable to CSRF (Cross Site Request Forgery) which allows a remote
attack to make changes to the web application as the current logged in
victim. If the victim visits a malicious web page, the attacker can
silently and automatically create a new admin user within the web
application for remote persistence and further attacks. The URL is
/zm/index.php and sample parameters could include action=user uid=0
newUser[Username]=attacker1 newUser[Password]=Password1234
conf_password=Password1234 newUser[System]=Edit (among others).
(CVE-2017-5368)

A file disclosure and inclusion vulnerability exists in web/views/file.php
in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being
passed to readfile(), which allows an authenticated attacker to read local
system files (e.g., /etc/passwd) in the context of the web server user
(www-data). The attack vector is a .. (dot dot) in the path parameter
within a zm/index.php?view=file&path= request. (CVE-2017-5595)

A Cross-Site Scripting (XSS) was discovered in ZoneMinder 1.30.2. The
vulnerability exists due to insufficient filtration of user-supplied data
(postLoginQuery) passed to the
"ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php" URL. An
attacker could execute arbitrary HTML and script code in a browser in the
context of the vulnerable website. (CVE-2017-7203)

Notes for sysadmins:
1. CRSF attacks are now blocked by setting the ZoneMinder variable
   'ENABLE_CSRF_MAGIC' to 'yes'. During system update you may want to
   check that this variable is set. In Mageia 'yes' is the default for new
   installs of ZoneMInder.
2. Changes have been made to /etc/httpd/conf/site.d/zoneminder.conf to
   mitigate CVE-2016-10140. Make sure to accept the new configuration when
   updating existing systems.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=20215
• https://github.com/ZoneMinder/ZoneMinder/releases/tag/1.30.2
• https://github.com/ZoneMinder/ZoneMinder/releases
• https://github.com/ZoneMinder/ZoneMinder/commit/c5906a5d4f9adc7bdaabcf035fe223997883018b
• https://github.com/ZoneMinder/ZoneMinder/pull/1764
• https://github.com/ZoneMinder/ZoneMinder/pull/1764
• https://github.com/ZoneMinder/ZoneMinder/commit/ea5342abd2ef3b7dfb1b05e59ccf420196264340
• https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10140
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10201
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10202
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10203
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10204
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10205
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10206
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5367
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5368
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5595
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7203

SRPMS

5/core

• zoneminder-1.30.4-1.1.mga5
• perl-Sys-MemInfo-0.910.0-1.mga5