CVE-2019-17646
📋 TL;DR
This vulnerability in Centreon monitoring software allows unauthenticated attackers to access sensitive information via a direct API request. It affects Centreon versions before 18.10.8, 19.04.5, and 19.10.2, exposing potentially confidential monitoring data to unauthorized users.
💻 Affected Systems
- Centreon
📦 What is this software?
Centreon by Centreon
Centreon by Centreon
Centreon by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Attackers could obtain sensitive monitoring data, service metrics, and infrastructure details that could be used for further attacks or reconnaissance.
Likely Case
Unauthorized access to monitoring metrics and service information, potentially revealing internal system architecture and performance data.
If Mitigated
Limited to no impact if proper network segmentation and authentication controls are implemented.
🎯 Exploit Status
Simple HTTP GET request to the vulnerable endpoint without authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.10.8, 19.04.5, or 19.10.2
Vendor Advisory: https://documentation.centreon.com/docs/centreon/en/latest/release_notes/
Restart Required: Yes
Instructions:
1. Backup your Centreon configuration and database. 2. Update to the patched version (18.10.8, 19.04.5, or 19.10.2). 3. Restart Centreon services. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to the Centreon API endpoint using firewall rules or network segmentation.
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Web Server Configuration
allAdd authentication requirements to the vulnerable API endpoint via web server configuration.
# Add to Apache .htaccess or virtual host config
RewriteCond %{REQUEST_URI} ^/api/external\.php
RewriteRule .* - [F,L]
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Centreon from untrusted networks
- Deploy a web application firewall (WAF) with rules to block unauthenticated access to /api/external.php
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[centreon-server]/api/external.php?object=centreon_metric&action=listByService without authentication. If it returns data, the system is vulnerable.Check Version:
rpm -qa | grep centreon-web or check Centreon web interface versionVerify Fix Applied:
After patching, attempt the same request. It should return an authentication error or no data.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /api/external.php endpoint
- Multiple failed authentication attempts followed by successful unauthenticated API calls
Network Indicators:
- Unusual traffic to /api/external.php from untrusted sources
- GET requests to the vulnerable endpoint without authentication headers
SIEM Query:
source="centreon_access.log" AND uri="/api/external.php" AND (NOT auth_status="authenticated")🔗 References
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10.html#centreon-web-18-10-8
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.html#centreon-web-19-04-5
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.10.html#centreon-web-19-10-2
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.10/index.html
- https://github.com/centreon/centreon/pull/8021
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10.html#centreon-web-18-10-8
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.html#centreon-web-19-04-5
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.10.html#centreon-web-19-10-2
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.10/index.html
- https://github.com/centreon/centreon/pull/8021
