search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Centreon contains multiple vulnerabilities

Vulnerability Note VU#298796

Original Release Date: 2014-10-17 | Last Revised: 2014-10-17

Overview

Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 contain multiple vulnerabilities.

Description

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') - CVE-2014-3829

Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 are vulnerable to command injection due to unsafe handling of session_id and template_id variables in displayServiceStatus.php and insufficient filtering on the command_line variable. The underlying operating system is then able to interpolate special characters, allowing for arbitrary commands to be injected.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2014-3828
Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 are vulnerable to SQL injection in the following php components:
http://server/centreon/include/views/graphs/common/makeXML_ListMetrics.php
http://server/centreon/include/views/graphs/GetXmlTree.php
http://server/centreon/include/views/graphs/graphStatus/displayServiceStatus.php
http://server/centreon/include/configuration/configObject/traps/GetXMLTrapsForVendor.php
http://server/centreon/include/common/javascript/commandGetArgs/cmdGetExample.php
http://server/centreon/include/views/graphs/graphStatus/displayServiceStatus.php

Rapid7 reports that prior versions back to 2.0 may be affected. See the Rapid7 advisory for more details.

Impact

A remote unauthenticated attacker may be able to execute arbitrary OS and SQL commands.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information

298796
 
Affected   Unknown   Unaffected

Centreon

Notified:  September 05, 2014 Updated:  October 15, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.1 E:POC/RL:U/RC:UC
Environmental 6.1 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Tod Beardsley of Rapid7 for reporting this vulnerability and MaZ for the original vulnerability discovery.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2014-3828, CVE-2014-3829
Date Public: 2014-10-15
Date First Published: 2014-10-17
Date Last Updated: 2014-10-17 18:25 UTC
Document Revision: 16

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.