CVE-2021-37557
📋 TL;DR
A SQL injection vulnerability in Centreon's image generation component allows remote authenticated attackers with low privileges to execute arbitrary SQL commands. This affects Centreon monitoring systems before specific patched versions, potentially leading to data theft, manipulation, or system compromise.
💻 Affected Systems
- Centreon
📦 What is this software?
Centreon by Centreon
Centreon by Centreon
Centreon by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary SQL commands to steal sensitive monitoring data, modify configurations, escalate privileges, or achieve remote code execution on the underlying database server.
Likely Case
Attackers with authenticated access could extract sensitive monitoring data, modify alert configurations, or disrupt monitoring operations through database manipulation.
If Mitigated
With proper input validation and parameterized queries, the SQL injection would be prevented, limiting impact to normal authenticated user functionality.
🎯 Exploit Status
Exploitation requires authenticated access but low privileges are sufficient. Public technical details and proof-of-concept information are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.04.14, 20.10.8, or 21.04.2 depending on your version track
Vendor Advisory: https://github.com/centreon/centreon/pull/9787
Restart Required: Yes
Instructions:
1. Identify your Centreon version. 2. Upgrade to the appropriate patched version: 20.04.14, 20.10.8, or 21.04.2. 3. Restart Centreon services. 4. Verify the fix by checking version and testing functionality.
🔧 Temporary Workarounds
Input Validation Filter
linuxImplement input validation for the index parameter in generateImage.php to reject malicious SQL characters
Modify include/views/graphs/generateGraphs/generateImage.php to validate/sanitize the index parameter
Access Restriction
linuxRestrict access to the vulnerable endpoint to only necessary users or IP addresses
Configure web server (Apache/Nginx) to restrict access to generateImage.php
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the generateImage.php endpoint
- Restrict database user permissions for the Centreon application to minimize potential damage from successful exploitation
🔍 How to Verify
Check if Vulnerable:
Check Centreon version via web interface or command line. If version is below 20.04.14, 20.10.8, or 21.04.2, system is vulnerable.Check Version:
cat /etc/centreon/centreon.conf | grep version OR check via Centreon web interfaceVerify Fix Applied:
Verify version is 20.04.14, 20.10.8, or 21.04.2 or higher. Test image generation functionality to ensure it works without SQL errors.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed or suspicious requests to generateImage.php
- Unexpected database errors in application logs
Network Indicators:
- SQL injection patterns in HTTP requests to generateImage.php
- Unusual database traffic from web server
SIEM Query:
source="web_logs" AND uri="/include/views/graphs/generateGraphs/generateImage.php" AND (query CONTAINS "UNION" OR query CONTAINS "SELECT" OR query CONTAINS "INSERT" OR query CONTAINS "DELETE")