Vulnerability Note VU#298796
Centreon contains multiple vulnerabilities
Original Release date: 17 Oct 2014 | Last revised: 17 Oct 2014

Overview
Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 contain multiple vulnerabilities.

Description
CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’) – CVE-2014-3829
Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 are vulnerable to command injection due to unsafe handling of session_id and template_id variables in displayServiceStatus.php and insufficient filtering on the command_line variable. The underlying operating system is then able to interpolate special characters, allowing for arbitrary commands to be injected.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) – CVE-2014-3828
Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 are vulnerable to SQL injection in the following php components:
http://server/centreon/include/views/graphs/common/makeXML_ListMetrics.php
http://server/centreon/include/views/graphs/GetXmlTree.php
http://server/centreon/include/views/graphs/graphStatus/displayServiceStatus.php
http://server/centreon/include/configuration/configObject/traps/GetXMLTrapsForVendor.php
http://server/centreon/include/common/javascript/commandGetArgs/cmdGetExample.php
http://server/centreon/include/views/graphs/graphStatus/displayServiceStatus.php

Rapid7 reports that prior versions back to 2.0 may be affected. See the Rapid7 advisory for more details.

Impact
A remote unauthenticated attacker may be able to execute arbitrary OS and SQL commands.

Solution
The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedCentreonAffected05 Sep 201415 Oct 2014If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
8.1
E:POC/RL:U/RC:UC

Environmental
6.1
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://www.centreon.com/Content-products/it-infrastructure-and-application-monitoring-centreon
http://cwe.mitre.org/data/definitions/89.html
http://cwe.mitre.org/data/definitions/77.html
http://seclists.org/fulldisclosure/2014/Oct/78

Credit

Thanks to Tod Beardsley of Rapid7 for reporting this vulnerability and MaZ for the original vulnerability discovery.
This document was written by Chris King.

Other Information

CVE IDs:
CVE-2014-3828
CVE-2014-3829

Date Public:
15 Oct 2014

Date First Published:
17 Oct 2014

Date Last Updated:
17 Oct 2014

Document Revision:
16

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply