CVE-2019-19487
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands on Centreon monitoring servers via command injection in the minPlayCommand.php file. Attackers can achieve remote code execution by manipulating plugin test parameters. Affects Centreon users running versions 19.04.4 and below.
💻 Affected Systems
- Centreon
📦 What is this software?
Centreon by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary commands with web server privileges, potentially leading to lateral movement, data exfiltration, or complete system takeover.
Likely Case
Remote code execution allowing attacker to install malware, create backdoors, or disrupt monitoring operations.
If Mitigated
Limited impact if proper input validation and command sanitization are implemented, restricting attacker to web server user privileges only.
🎯 Exploit Status
Exploit requires web access to Centreon interface but no authentication. Public technical details available in referenced articles.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 19.04.5 and above
Vendor Advisory: https://github.com/centreon/centreon/releases
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Centreon to version 19.04.5 or later. 3. Restart Centreon services. 4. Verify patch application.
🔧 Temporary Workarounds
Disable plugin testing functionality
linuxTemporarily disable the vulnerable plugin test feature until patching can be completed.
# Remove or restrict access to minPlayCommand.php
mv /usr/share/centreon/www/include/configuration/configObject/command/minPlayCommand.php /usr/share/centreon/www/include/configuration/configObject/command/minPlayCommand.php.disabled
Implement input validation WAF rules
linuxAdd web application firewall rules to block suspicious command injection patterns.
# Example mod_security rule
SecRule ARGS "[;|&`$()]" "phase:2,deny,id:1001,msg:'Command injection attempt'"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Centreon servers from critical systems
- Deploy host-based intrusion detection and monitor for suspicious command execution patterns
🔍 How to Verify
Check if Vulnerable:
Check Centreon version: grep 'version' /etc/centreon/centreon.conf or via web interface. If version is 19.04.4 or below, system is vulnerable.Check Version:
grep 'version' /etc/centreon/centreon.conf 2>/dev/null || echo 'Check web interface: Administration > Parameters > Centreon > Version'Verify Fix Applied:
Verify version is 19.04.5 or higher and test plugin functionality with safe inputs to ensure proper input validation.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in Centreon logs
- Multiple failed plugin test attempts
- Suspicious characters (; | & ` $) in HTTP requests
Network Indicators:
- Unusual outbound connections from Centreon server
- HTTP requests with command injection patterns to minPlayCommand.php
SIEM Query:
source="centreon.log" AND ("minPlayCommand.php" OR "command injection" OR "suspicious characters in request")