CVE-2020-9463
📋 TL;DR
This vulnerability allows authenticated remote attackers to execute arbitrary operating system commands on Centreon monitoring servers by injecting shell metacharacters in the server_ip field of API requests. Attackers with valid credentials can achieve remote code execution with the privileges of the Centreon web application. All Centreon 19.10 installations with authenticated user access are affected.
💻 Affected Systems
- Centreon
📦 What is this software?
Centreon by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands as the web server user, potentially leading to lateral movement, data exfiltration, or installation of persistent backdoors.
Likely Case
Attackers with valid credentials gain command execution to install cryptocurrency miners, create backdoors, or pivot to other systems in the network.
If Mitigated
With proper network segmentation and least privilege, impact limited to the Centreon server itself without lateral movement capabilities.
🎯 Exploit Status
Exploitation requires valid credentials but is straightforward once authenticated. The vulnerability is in a core API endpoint used for remote server configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 19.10.1 and later
Vendor Advisory: https://github.com/centreon/centreon/releases
Restart Required: Yes
Instructions:
1. Backup Centreon configuration and database. 2. Update to Centreon 19.10.1 or later via package manager. 3. Restart Centreon services: systemctl restart centreon centreon-gorgoned centreon-engine centreon-broker. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
API Endpoint Restriction
linuxBlock or restrict access to the vulnerable API endpoint using web server configuration or WAF rules.
# For Apache: RewriteRule ^/centreon/api/internal\.php.*$ - [F]
# For Nginx: location ~ /centreon/api/internal\.php { deny all; }
Input Validation Enhancement
linuxAdd input validation to sanitize server_ip parameter before processing.
# Modify /usr/share/centreon/www/api/internal.php to validate server_ip parameter
# Add: if (!preg_match('/^[a-zA-Z0-9\.\-:]+$/', $_POST['server_ip'])) { die('Invalid input'); }
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Centreon servers from critical systems
- Enforce strong authentication policies and regularly audit user accounts for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Centreon version: rpm -qa | grep centreon-web or dpkg -l | grep centreon-web. If version is exactly 19.10, the system is vulnerable.Check Version:
centreon -v 2>/dev/null || grep 'version' /etc/centreon/centreon.conf.php 2>/dev/null || rpm -qa | grep centreon-webVerify Fix Applied:
Verify version is 19.10.1 or later: centreon -v or check package version. Test the API endpoint with sanitized input to ensure command injection is prevented.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /centreon/api/internal.php with shell metacharacters in parameters
- Suspicious commands executed by the apache or www-data user in system logs
- Multiple failed authentication attempts followed by successful login and API access
Network Indicators:
- POST requests to /centreon/api/internal.php?object=centreon_configuration_remote containing special characters in server_ip field
- Outbound connections from Centreon server to unusual destinations following API requests
SIEM Query:
source="apache_access" AND uri_path="/centreon/api/internal.php" AND (query="*object=centreon_configuration_remote*" AND (form_data="*server_ip=*&*" OR post_data="*server_ip=*&*"))