Ubuntu 16.04 ESM / 20.04 ESM / 22.04 ESM : ZoneMinder vulnerabilities (USN-5889-1)

critical Nessus Plugin ID 171952

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 16.04 ESM / 20.04 ESM / 22.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5889-1 advisory.

- An issue was discovered in ZoneMinder v1.32.3. Reflected XSS exists in web/skins/classic/views/plugin.php via the zm/index.php?view=plugin pl parameter. (CVE-2019-6777)

- A stored-self XSS exists in web/skins/classic/views/zones.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a crafted Zone NAME to the index.php?view=zones&action=zoneImage&mid=1 URI. (CVE-2019-6990)

- A classic Stack-based buffer overflow exists in the zmLoadUser() function in zm_user.cpp of the zmu binary in ZoneMinder through 1.32.3, allowing an unauthenticated attacker to execute code via a long username.
(CVE-2019-6991)

- A stored-self XSS exists in web/skins/classic/views/controlcaps.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a long NAME or PROTOCOL to the index.php?view=controlcaps URI. (CVE-2019-6992)

- Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as multiple views under web/skins/classic/views insecurely utilize $_REQUEST['PHP_SELF'], without applying any proper filtration.
(CVE-2019-7325)

- Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'Host' parameter value in the view console (console.php) because proper filtration is omitted. This relates to the index.php?view=monitor Host Name field.
(CVE-2019-7326)

- Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'scale' parameter value in the view frame (frame.php) because proper filtration is omitted. (CVE-2019-7327)

- Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'scale' parameter value in the view frame (frame.php) via /js/frame.js.php because proper filtration is omitted. (CVE-2019-7328)

- Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the form action on multiple views utilizes $_SERVER['PHP_SELF'] insecurely, mishandling any arbitrary input appended to the webroot URL, without any proper filtration, leading to XSS. (CVE-2019-7329)

- Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'show' parameter value in the view frame (frame.php) because proper filtration is omitted. (CVE-2019-7330)

- Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 while editing an existing monitor field named signal check color (monitor.php). There exists no input validation or output filtration, leaving it vulnerable to HTML Injection and an XSS attack. (CVE-2019-7331)

- Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'eid' (aka Event ID) parameter value in the view download (download.php) because proper filtration is omitted. (CVE-2019-7332)

- ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability. (CVE-2022-29806)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected zoneminder package.

See Also

https://ubuntu.com/security/notices/USN-5889-1

Plugin Details

Severity: Critical

ID: 171952

File Name: ubuntu_USN-5889-1.nasl

Version: 1.2

Type: local

Agent: unix

Published: 2/28/2023

Updated: 10/20/2023

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-29806

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:canonical:ubuntu_linux:16.04:-:esm, cpe:/o:canonical:ubuntu_linux:20.04:-:esm, cpe:/o:canonical:ubuntu_linux:22.04:-:esm, p-cpe:/a:canonical:ubuntu_linux:zoneminder

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/27/2023

Vulnerability Publication Date: 1/24/2019

Exploitable With

Metasploit (ZoneMinder Language Settings Remote Code Execution)

Reference Information

CVE: CVE-2019-6777, CVE-2019-6990, CVE-2019-6991, CVE-2019-6992, CVE-2019-7325, CVE-2019-7326, CVE-2019-7327, CVE-2019-7328, CVE-2019-7329, CVE-2019-7330, CVE-2019-7331, CVE-2019-7332, CVE-2022-29806

USN: 5889-1