CVE-2017-5368 in ZoneMinder
Summary
by MITRE
ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/11/2020
CVE-2017-5368 represents a critical cross site request forgery vulnerability in ZoneMinder versions 1.30 and 1.29, which are widely deployed open-source CCTV server web applications used for security monitoring and video surveillance. This vulnerability falls under the CWE-352 category of Cross-Site Request Forgery, a well-documented weakness in web application security that allows attackers to perform actions on behalf of authenticated users without their knowledge or consent. The flaw specifically affects the web interface of ZoneMinder, which serves as the primary management console for configuring surveillance systems and user access controls.
The technical implementation of this vulnerability exploits the absence of proper request validation mechanisms within the application's authentication and authorization framework. When a victim user visits a malicious webpage containing embedded forged requests, the browser automatically submits requests to the ZoneMinder application's endpoint at /zm/index.php without requiring user interaction. The attack payload demonstrates how an attacker can silently create a new administrator account with elevated privileges by manipulating parameters such as action=user, uid=0, and user credential fields including newUser[Username], newUser[Password], and conf_password. This automated process bypasses standard security controls that would normally require explicit user confirmation for sensitive administrative operations.
The operational impact of this vulnerability extends far beyond simple privilege escalation, as it provides attackers with persistent access to the surveillance system and its associated video feeds. Once an attacker successfully creates an administrative account, they can establish long-term access to the system, potentially gaining control over multiple cameras, modifying surveillance settings, accessing recorded footage, and even disabling security features. This persistent backdoor capability aligns with ATT&CK technique T1078.004 for Valid Accounts and T1041 for Exfiltration, as the compromised system can be used for ongoing surveillance and data theft. The vulnerability is particularly dangerous in enterprise and industrial environments where ZoneMinder is commonly deployed for critical security infrastructure.
Mitigation strategies for CVE-2017-5368 should prioritize immediate patching of affected ZoneMinder installations to version 1.31 or later, which contains the necessary CSRF protection mechanisms. Organizations should implement additional security controls including the deployment of web application firewalls, regular security audits of web applications, and mandatory user session validation for administrative functions. The implementation of anti-CSRF tokens and proper request origin validation represents the standard defensive approach for addressing this class of vulnerability. Network segmentation and access control measures should also be enforced to limit potential lateral movement within compromised environments, while regular monitoring of user account creation and administrative activities can help detect unauthorized access attempts. Security awareness training for system administrators is also recommended to recognize and avoid potentially malicious web content that could trigger such attacks.