Login Sign Up

CVE-2019-17647

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Centreon monitoring software allows attackers to execute arbitrary SQL commands via the instance parameter in hostXML.php. Affected systems include Centreon versions before 2.8.30, 18.10.8, 19.04.5, and 19.10.2. Successful exploitation could lead to data theft, privilege escalation, or complete system compromise.

💻 Affected Systems

Products:
  • Centreon
Versions: Versions before 2.8.30, 18.10.8, 19.04.5, and 19.10.2
Operating Systems: Linux (CentOS, RHEL, Ubuntu)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all default installations of vulnerable Centreon versions. The vulnerable file is part of the standard web interface.

📦 What is this software?

Centreon by Centreon

View all CVEs affecting Centreon →

Centreon by Centreon

View all CVEs affecting Centreon →

Centreon by Centreon

View all CVEs affecting Centreon →

Centreon by Centreon

View all CVEs affecting Centreon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise leading to complete system takeover, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Unauthorized database access allowing extraction of sensitive monitoring data, credentials, and configuration information.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place.

🌐 Internet-Facing: HIGH - Web interface is typically internet-accessible for monitoring purposes.
🏢 Internal Only: HIGH - Even internal systems are vulnerable to authenticated or unauthenticated attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection via URL parameter requires minimal technical skill. Authentication may be required depending on configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.30, 18.10.8, 19.04.5, or 19.10.2

Vendor Advisory: https://documentation.centreon.com/docs/centreon/en/latest/release_notes/

Restart Required: Yes

Instructions:

1. Backup your Centreon configuration and database. 2. Update to the patched version using official Centreon update procedures. 3. Restart Centreon services. 4. Verify the fix by checking the version and testing the vulnerable endpoint.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the instance parameter.

# Configure WAF to block patterns like: UNION SELECT, OR 1=1, ';--
# Example ModSecurity rule: SecRule ARGS:instance "@detectSQLi" "id:1001,phase:2,deny"

File Access Restriction

linux

Temporarily restrict access to the vulnerable PHP file.

# Rename or move the vulnerable file:
mv /usr/share/centreon/www/include/monitoring/status/Hosts/xml/hostXML.php /usr/share/centreon/www/include/monitoring/status/Hosts/xml/hostXML.php.disabled
# Or modify permissions:
chmod 000 /usr/share/centreon/www/include/monitoring/status/Hosts/xml/hostXML.php

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Centreon servers from critical systems.
  • Deploy intrusion detection systems (IDS) to monitor for SQL injection attempts against Centreon endpoints.

🔍 How to Verify

Check if Vulnerable:

Check if your Centreon version is below the patched versions. Access the vulnerable endpoint with SQL injection test payloads (in a controlled environment).

Check Version:

grep 'version' /etc/centreon/centreon.conf.php | head -1

Verify Fix Applied:

Verify Centreon version is at or above patched versions. Test the vulnerable endpoint with SQL injection payloads to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple requests to hostXML.php with suspicious parameters
  • Error logs showing SQL syntax errors

Network Indicators:

  • HTTP requests to /include/monitoring/status/Hosts/xml/hostXML.php with SQL keywords in parameters
  • Unusual database connection patterns from web server

SIEM Query:

source="apache_access" AND uri="/include/monitoring/status/Hosts/xml/hostXML.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*OR 1=1*")

📊 Metadata

CVE ID: CVE-2019-17647
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 5, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17647, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)