CVE-2019-19699
📋 TL;DR
This vulnerability allows authenticated attackers with admin access to Centreon's web interface to achieve remote code execution by misconfiguring poller commands. The exploit involves creating a malicious command and setting it as the post-restart command, which gets executed with root privileges via cron. Organizations running Centreon Infrastructure Monitoring Software through version 19.10 are affected.
💻 Affected Systems
- Centreon Infrastructure Monitoring Software
📦 What is this software?
Centreon by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root-level access, allowing attackers to install persistent backdoors, exfiltrate sensitive data, or pivot to other systems in the network.
Likely Case
Privilege escalation from authenticated admin to root access, enabling attackers to modify system configurations, install malware, or disrupt monitoring operations.
If Mitigated
Limited impact if proper access controls and monitoring are in place, potentially only allowing modification of Centreon-specific files without broader system access.
🎯 Exploit Status
Exploitation requires authenticated admin access and knowledge of Centreon's web interface structure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 19.10.1 and later
Vendor Advisory: https://www.centreon.com/
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Centreon to version 19.10.1 or later. 3. Restart Centreon services. 4. Verify poller configurations are secure.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrative access to Centreon web interface to only trusted personnel.
Monitor Poller Configuration Changes
linuxImplement monitoring for changes to poller configurations and post-restart commands.
🧯 If You Can't Patch
- Implement strict access controls and multi-factor authentication for Centreon admin accounts
- Monitor and audit all poller configuration changes and cron job modifications
🔍 How to Verify
Check if Vulnerable:
Check Centreon version via web interface or command line: rpm -qa | grep centreon-webCheck Version:
rpm -qa | grep centreon-webVerify Fix Applied:
Verify version is 19.10.1 or later and check that poller configuration permissions are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unauthorized modifications to poller configurations
- Suspicious cron job creations or modifications
- Apache user modifying executable files
Network Indicators:
- Unusual POST requests to main.php with p=60803 or p=60901 parameters
SIEM Query:
source="centreon.log" AND (uri="/main.php?p=60803" OR uri="/main.php?p=60901") AND user="admin"🔗 References
- https://download.centreon.com/
- https://github.com/SpengeSec/CVE-2019-19699
- https://spenge.pw/cves/
- https://twitter.com/SpengeSec/status/1204418071764463618
- https://www.centreon.com/
- https://download.centreon.com/
- https://github.com/SpengeSec/CVE-2019-19699
- https://spenge.pw/cves/
- https://twitter.com/SpengeSec/status/1204418071764463618
- https://www.centreon.com/
