CVE-2022-42427
📋 TL;DR
This is an SQL injection vulnerability in Centreon's contact groups configuration page that allows authenticated attackers to escalate privileges to administrator level. It affects Centreon installations where attackers have valid credentials. The vulnerability exists due to improper input validation before constructing SQL queries.
💻 Affected Systems
- Centreon
📦 What is this software?
Centreon by Centreon
Centreon by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control over the Centreon monitoring system, potentially compromising the entire monitoring infrastructure and using it as a pivot point to attack monitored systems.
Likely Case
Privileged user or compromised account escalates to administrator, modifies monitoring configurations, disables alerts, or gains access to sensitive monitoring data.
If Mitigated
Attack is prevented by proper input validation and parameterized queries, or blocked by WAF rules and network segmentation.
🎯 Exploit Status
Authentication required but SQL injection exploitation is straightforward once authenticated. ZDI has published details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.10.0 and later
Vendor Advisory: https://www.centreon.com/en/security/
Restart Required: Yes
Instructions:
1. Backup Centreon configuration and database. 2. Update to Centreon 22.10.0 or later. 3. Restart Centreon services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation WAF Rule
allImplement Web Application Firewall rules to block SQL injection patterns in contact groups configuration requests.
Restrict Access to Configuration Pages
linuxLimit access to /centreon/main.php?p=604* pages to only trusted administrator IP addresses.
# Example for Apache: RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.
# Example for Nginx: allow 192.168.1.0/24; deny all;
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Centreon from critical systems
- Enforce principle of least privilege and regularly audit user accounts and permissions
🔍 How to Verify
Check if Vulnerable:
Check Centreon version: if below 22.10.0, system is vulnerable. Review access logs for unusual patterns to /centreon/main.php?p=604* endpoints.Check Version:
rpm -qa | grep centreon-web or check Centreon web interface About pageVerify Fix Applied:
Confirm Centreon version is 22.10.0 or later. Test contact groups configuration functionality to ensure it works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in Centreon logs
- Multiple failed login attempts followed by successful login and access to p=604 pages
- User privilege changes in audit logs
Network Indicators:
- Unusual outbound connections from Centreon server
- SQL injection patterns in HTTP requests to Centreon
SIEM Query:
source="centreon.log" AND ("SQL" OR "syntax" OR "604")