CVE-2018-21024 – CVE-2018-21024 is an unrestricted file upload v... (How to Fix)

Q: What is the severity of CVE-2018-21024?

CVE-2018-21024 has a CVSS score of 9.8 (CRITICAL). CVE-2018-21024 is an unrestricted file upload vulnerability in Centreon Web's licenseUpload.php that allows attackers to upload arbitrary files via POST requests. This affects Centreon Web installations before version 2.8.27 and could lead to remote code execution. Organizations using vulnerable Centreon Web versions for IT monitoring are at risk.

📋 TL;DR

CVE-2018-21024 is an unrestricted file upload vulnerability in Centreon Web's licenseUpload.php that allows attackers to upload arbitrary files via POST requests. This affects Centreon Web installations before version 2.8.27 and could lead to remote code execution. Organizations using vulnerable Centreon Web versions for IT monitoring are at risk.

💻 Affected Systems

Products:

Centreon Web

Versions: All versions before 2.8.27

Operating Systems: Linux (Centreon typically runs on CentOS/RHEL)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations with the license upload functionality enabled.

📦 What is this software?

Centreon by Centreon

View all CVEs affecting Centreon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Webshell upload enabling persistent backdoor access, file system manipulation, and potential privilege escalation.

🟢

If Mitigated

File upload attempts are blocked or logged, preventing successful exploitation while maintaining monitoring functionality.

🌐 Internet-Facing: HIGH - Directly accessible web interface with unauthenticated exploitation capability.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to authenticated or network-accessible attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST request with file upload, no authentication required based on references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.27 and later

Vendor Advisory: https://github.com/centreon/centreon/pull/7085

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Centreon Web to version 2.8.27 or later via package manager. 3. Restart web service (Apache/Nginx). 4. Verify functionality.

🔧 Temporary Workarounds

Disable licenseUpload.php

linux

Remove or restrict access to the vulnerable PHP file

mv /usr/share/centreon/www/include/configuration/configObject/license/licenseUpload.php /usr/share/centreon/www/include/configuration/configObject/license/licenseUpload.php.disabled

Web server file restriction

linux

Add web server rules to block access to licenseUpload.php

# Apache: Add to .htaccess or virtual host config
<Files "licenseUpload.php">
    Order allow,deny
    Deny from all
</Files>
# Nginx: Add to server block
location ~ /licenseUpload\.php$ {
    deny all;
    return 403;
}

🧯 If You Can't Patch

Implement strict web application firewall (WAF) rules to block file uploads to licenseUpload.php
Monitor file system changes in Centreon web directory and alert on new PHP file creation

🔍 How to Verify

Check if Vulnerable:

Check Centreon Web version: grep 'version' /etc/centreon/centreon.conf.php or check web interface footer. If version < 2.8.27, system is vulnerable.

Check Version:

grep "\$version" /etc/centreon/centreon.conf.php | head -1

Verify Fix Applied:

Confirm version is 2.8.27 or later and attempt to access /centreon/include/configuration/configObject/license/licenseUpload.php returns 403 or file not found.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to licenseUpload.php
New PHP files in web directories
Web server error logs showing file upload attempts

Network Indicators:

POST requests with file upload content to Centreon web paths
Unusual outbound connections from Centreon server

SIEM Query:

source="apache_access" AND uri="*licenseUpload.php*" AND method="POST"

📊 Metadata

CVE ID: CVE-2018-21024

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: October 8, 2019

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2019/10/09/2 Mailing List,Patch,Third Party Advisory
https://github.com/centreon/centreon/pull/7085 Third Party Advisory
https://www.openwall.com/lists/oss-security/2019/10/08/1 Mailing List,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/10/09/2 Mailing List,Patch,Third Party Advisory
https://github.com/centreon/centreon/pull/7085 Third Party Advisory
https://www.openwall.com/lists/oss-security/2019/10/08/1 Mailing List,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-21024, you might also want to check these: