CVE-2022-30769 An attacker can poison a session cookie to the next logged-in user in ZoneMinder 1.36.12.

When a user accesses a certain page, the session cookie on their browser is poisoned and the attacker’s session is then logged in as the next user. Because the session is based on the IP address of the user, the fix for this is to change the IP address of the server. This can be done manually or by setting up a DNS wildcard for the server with a hostname similar to the server’s IP address. This can be done by adding a record like this to the DNS server: _set_host=127.0.0.1 If a DNS wildcard is used, the server should be updated to the DNS provider or the DNS servers. When using a provider with a hosting provider, update the DNS to the provider’s servers. When updating DNS to the provider’s servers, the DNS servers must be updated to the provider’s servers.

Disable SSL/TLS

The first thing to do is disable the SSL/TLS protocol. This is done by adding a line like this to the Apache configuration file: SSLProxyEngine on
Then register for any new certificates with an appropriate server certificate: SSLCertificateFile /path/to/certificate.crt SSLCertificateKeyFile /path/to/key.key

CVE-2023-30821

The following are DNS name changes that need to be done before the upgrade:
- Add a record like this to your DNS server: _set_host=127.0.0.1
- Update the DNS servers to the provider’s servers
- Update the DNS providers

DDoS Attack

: How to Fix
A DDoS attack is a type of distributed denial-of-service attack where an attacker sends many bogus requests to the target in an attempt to consume all available bandwidth and resources on the target server, causing it to become unavailable to legitimate users.
The fix for this is setting up a DNS wildcard for the server with a name similar to the server’s IP address. This can be done by adding a record like this to the DNS server: _set_host=127.0.0.1 If a DNS wildcard is used, the server should be updated to the DNS provider or the DNS servers. When using a provider with a hosting provider, update the DNS to the provider’s servers. When updating DNS to the provider’s servers, the DNS servers must be updated to the provider’s servers.

CVE-2023-30767

This vulnerability allows an attacker to open a fake browser window and change the URL that is opened. This can be done by changing the URL in the source code of a page, or by using javascript to modify the URL.

Timeline

Published on: 11/15/2022 22:15:00 UTC
Last modified on: 11/17/2022 05:21:00 UTC

References

• https://github.com/ZoneMinder/zoneminder/releases
• https://medium.com/@dk50u1/session-fixation-in-zoneminder-up-to-v1-36-12-3c850b1fbbf3
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30769