CVE-2022-42429
📋 TL;DR
CVE-2022-42429 is an SQL injection vulnerability in Centreon's poller broker configuration that allows authenticated attackers to escalate privileges to administrator level. This affects Centreon installations where users can access the poller configuration interface. Attackers need valid credentials but can then gain full administrative control.
💻 Affected Systems
- Centreon
📦 What is this software?
Centreon by Centreon
Centreon by Centreon
Centreon by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining administrator privileges, potentially leading to data theft, service disruption, or further network penetration.
Likely Case
Privilege escalation to administrator level allowing configuration changes, data access, and potential installation of backdoors.
If Mitigated
Limited impact with proper input validation, parameterized queries, and least privilege access controls in place.
🎯 Exploit Status
Authentication required but SQL injection is straightforward once authenticated. ZDI published advisory with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.04.6, 22.10.4, or 21.10.12
Vendor Advisory: https://www.centreon.com/en/security/
Restart Required: Yes
Instructions:
1. Backup your Centreon configuration and database. 2. Update to patched version via Centreon update mechanism. 3. Restart Centreon services. 4. Verify fix by checking version and testing functionality.
🔧 Temporary Workarounds
Input Validation Enhancement
linuxImplement additional input validation for poller broker configuration parameters
# Requires code modification - implement parameterized queries and input sanitization
Access Restriction
linuxRestrict access to poller configuration interface to only necessary administrators
# Configure web server (Apache/Nginx) to restrict /centreon/main.php?p=60909 to admin IPs only
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection rules
- Restrict network access to Centreon interface and implement strict authentication controls
🔍 How to Verify
Check if Vulnerable:
Check Centreon version via web interface or command: rpm -qa | grep centreon-webCheck Version:
rpm -qa | grep centreon-web | grep -E '22.04.6|22.10.4|21.10.12'Verify Fix Applied:
Verify version is 22.04.6, 22.10.4, or 21.10.12 or later📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts followed by poller configuration access
- Unexpected privilege escalation events
Network Indicators:
- Unusual POST requests to /centreon/main.php?p=60909 with SQL-like parameters
SIEM Query:
source="centreon" AND (url="*p=60909*" AND (param="*SELECT*" OR param="*UNION*" OR param="*INSERT*"))