CVE-2021-37558
📋 TL;DR
This is a critical SQL injection vulnerability in Centreon's MediaWiki integration that allows remote unauthenticated attackers to execute arbitrary SQL commands. It affects Centreon monitoring systems with specific vulnerable versions and configurations. Attackers can potentially compromise the entire database and gain full control of affected systems.
💻 Affected Systems
- Centreon
📦 What is this software?
Centreon by Centreon
Centreon by Centreon
Centreon by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data exfiltration, ransomware deployment, lateral movement across network, and persistent backdoor installation.
Likely Case
Database compromise allowing credential theft, configuration modification, and privilege escalation to execute arbitrary code on the server.
If Mitigated
Limited impact due to network segmentation, proper input validation, and restricted database permissions preventing full system takeover.
🎯 Exploit Status
Exploitation requires specific configuration but is straightforward once conditions are met. Public technical details available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.04.14, 20.10.8, or 21.04.2 and later
Vendor Advisory: https://github.com/centreon/centreon/pull/9796
Restart Required: Yes
Instructions:
1. Backup your Centreon configuration and database. 2. Update to patched version using official Centreon update procedures. 3. Restart Centreon services. 4. Verify the fix by checking version and testing vulnerable endpoints.
🔧 Temporary Workarounds
Disable Knowledge Base MediaWiki Integration
linuxRemove or disable the Knowledge Base URL configuration pointing to MediaWiki instances
Edit Centreon configuration to remove MediaWiki URL from Knowledge Base settings
Network Access Control
linuxRestrict access to Centreon web interface using firewall rules
iptables -A INPUT -p tcp --dport 80 -s trusted_networks -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_networks -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict WAF rules to block SQL injection patterns in host_name and service_description parameters
- Isolate Centreon systems in segmented network zones with strict egress filtering
🔍 How to Verify
Check if Vulnerable:
Check Centreon version and verify if Knowledge Base URL is configured pointing to MediaWiki. Review configuration files for proxy.php and ProceduresProxy.class.php usage.Check Version:
centreon -v or check /etc/centreon/centreon.conf version informationVerify Fix Applied:
Confirm Centreon version is 20.04.14, 20.10.8, 21.04.2 or later. Test vulnerable endpoints with SQL injection payloads to ensure they're properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by SQL syntax in web logs
- Requests containing SQL keywords like UNION, SELECT, INSERT in host_name/service_description parameters
Network Indicators:
- Unusual outbound database connections from web server
- SQL error messages in HTTP responses
- Rapid sequential requests to proxy.php endpoints
SIEM Query:
source="centreon_web.log" AND ("host_name=" OR "service_description=") AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE" OR "--" OR "' OR '")