Vulnerability Note VU#298796

Centreon contains multiple vulnerabilities

Original Release date: 17 Oct 2014 | Last revised: 17 Oct 2014

Overview

Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 contain multiple vulnerabilities.

Description

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') - CVE-2014-3829

Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 are vulnerable to command injection due to unsafe handling of session_id and template_id variables in displayServiceStatus.php and insufficient filtering on the command_line variable. The underlying operating system is then able to interpolate special characters, allowing for arbitrary commands to be injected.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2014-3828
Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 are vulnerable to SQL injection in the following php components:
http://server/centreon/include/views/graphs/common/makeXML_ListMetrics.php
http://server/centreon/include/views/graphs/GetXmlTree.php
http://server/centreon/include/views/graphs/graphStatus/displayServiceStatus.php
http://server/centreon/include/configuration/configObject/traps/GetXMLTrapsForVendor.php
http://server/centreon/include/common/javascript/commandGetArgs/cmdGetExample.php
http://server/centreon/include/views/graphs/graphStatus/displayServiceStatus.php

Rapid7 reports that prior versions back to 2.0 may be affected. See the Rapid7 advisory for more details.

Impact

A remote unauthenticated attacker may be able to execute arbitrary OS and SQL commands.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CentreonAffected05 Sep 201415 Oct 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.1 E:POC/RL:U/RC:UC
Environmental 6.1 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Tod Beardsley of Rapid7 for reporting this vulnerability and MaZ for the original vulnerability discovery.

This document was written by Chris King.

Other Information

  • CVE IDs: CVE-2014-3828 CVE-2014-3829
  • Date Public: 15 Oct 2014
  • Date First Published: 17 Oct 2014
  • Date Last Updated: 17 Oct 2014
  • Document Revision: 16

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.