CVE-2019-17643
📋 TL;DR
This vulnerability in Centreon monitoring software allows unauthenticated attackers to access sensitive information via a direct request to a specific PHP file. It affects Centreon versions before the patched releases, potentially exposing host and service data to unauthorized parties.
💻 Affected Systems
- Centreon
📦 What is this software?
Centreon by Centreon
Centreon by Centreon
Centreon by Centreon
Centreon by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Attackers could obtain detailed information about monitored infrastructure including host configurations, service dependencies, and network topology, enabling further targeted attacks.
Likely Case
Unauthenticated information disclosure revealing internal monitoring data that could be used for reconnaissance or planning additional attacks.
If Mitigated
No impact if proper network segmentation and authentication controls prevent access to the vulnerable endpoint.
🎯 Exploit Status
Simple HTTP GET request to the vulnerable endpoint can retrieve sensitive XML data without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8-30, 18.10-8, 19.04-5, or 19.10-2 depending on your version
Vendor Advisory: https://documentation.centreon.com/docs/centreon/en/latest/release_notes/
Restart Required: Yes
Instructions:
1. Identify your Centreon version. 2. Upgrade to the appropriate patched version from the release notes. 3. Restart Centreon services. 4. Verify the fix.
🔧 Temporary Workarounds
Block direct access to vulnerable file
linuxUse web server configuration to block access to the specific vulnerable PHP file
# For Apache: Add to .htaccess or virtual host config
<Files "GetXMLHost4Services.php">
Require all denied
</Files>
# For Nginx: Add to server block
location ~ /include/monitoring/recurrentDowntime/GetXMLHost4Services\.php$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement network-level access controls to restrict access to Centreon web interface to trusted IPs only
- Deploy a web application firewall (WAF) with rules to block requests to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[centreon-server]/centreon/include/monitoring/recurrentDowntime/GetXMLHost4Services.php without authentication. If it returns XML data with host/service information, the system is vulnerable.Check Version:
# On Centreon server
rpm -qa | grep centreon-web
# Or check Centreon web interface admin panelVerify Fix Applied:
After patching, attempt the same access and verify you receive an authentication prompt or error instead of XML data.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to GET requests for /include/monitoring/recurrentDowntime/GetXMLHost4Services.php without preceding authentication logs
Network Indicators:
- Unusual XML data being transmitted from Centreon server to unauthenticated clients
SIEM Query:
web_access_logs status=200 AND uri="*GetXMLHost4Services.php" AND NOT (user_agent="*monitoring*" OR authenticated_user=*)🔗 References
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10.html#centreon-web-18-10-8
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.html#centreon-web-19-04-5
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.10.html#centreon-web-19-10-2
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8.html#centreon-web-2-8-30
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10.html#centreon-web-18-10-8
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.html#centreon-web-19-04-5
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.10.html#centreon-web-19-10-2
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8.html#centreon-web-2-8-30
