CVE-2024-45179 is an OS command injection vulnerability in za-internet's C-MOR Video Surveillance software, specifically versions 5.2401 and 6.00PL01. The root cause is insufficient input validation in the web interface scripts generatesslreq.pml, settimezone.pml, and setdatetime.pml. These scripts process HTTP POST parameters such as 'city' for generating X.509 certificates and 'year' for setting time zone or date/time. An attacker with low-privileged authenticated access can inject shell metacharacters into these parameters to execute arbitrary OS commands as the Linux user www-data. Administrative users can exploit additional scripts to execute commands, increasing the risk. Furthermore, if an attacker can chain this vulnerability with a privilege escalation flaw, they may achieve root-level command execution, fully compromising the device. The vulnerability is remotely exploitable over the network without user interaction, with a CVSS 3.1 score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). This indicates high confidentiality, integrity, and availability impact, with low attack complexity but requiring authenticated access. No patches or exploits are currently publicly available, but the risk is significant given the critical role of video surveillance systems in security infrastructure.

The impact of CVE-2024-45179 is substantial for organizations deploying the affected C-MOR Video Surveillance software. Successful exploitation can lead to arbitrary command execution on surveillance devices, potentially allowing attackers to manipulate video feeds, disable security monitoring, or exfiltrate sensitive data. The ability to escalate privileges to root further exacerbates the threat, enabling full system compromise, persistence, and lateral movement within networks. This undermines the integrity and availability of physical security systems, possibly leading to undetected intrusions or sabotage. Given the network-exposed nature of these devices, attackers can remotely exploit this vulnerability, increasing the risk of widespread attacks. Organizations relying on these surveillance systems for critical infrastructure protection, government facilities, or corporate security are particularly at risk, as compromise could facilitate espionage, sabotage, or physical security breaches.

To mitigate CVE-2024-45179, organizations should immediately restrict access to the C-MOR web interface to trusted networks and authenticated users only. Implement strict network segmentation and firewall rules to limit exposure. Apply any available vendor patches or updates as soon as they are released. In the absence of patches, consider disabling vulnerable functionalities such as certificate generation or time zone settings via the web interface. Conduct thorough input validation on all user-supplied data, especially parameters processed by generatesslreq.pml, settimezone.pml, and setdatetime.pml scripts. Monitor logs for unusual command execution patterns or unauthorized access attempts. Employ strong authentication and role-based access controls to minimize the number of users with administrative privileges. Additionally, investigate and remediate any privilege escalation vulnerabilities that could be chained with this injection flaw. Regularly audit and update device firmware and software to reduce attack surface. Finally, consider deploying intrusion detection systems capable of identifying command injection attempts targeting these devices.