CVE-2023-51633
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in Centreon's SNMP sysName OID processing that allows remote code execution. Attackers can inject malicious scripts that execute with service account privileges when users interact with the affected interface. All Centreon installations using SNMP monitoring with vulnerable versions are affected.
💻 Affected Systems
- Centreon
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code with service account privileges, potentially leading to complete system takeover, data theft, and lateral movement within the network.
Likely Case
Session hijacking, credential theft, and limited code execution within the Centreon application context, potentially leading to further privilege escalation.
If Mitigated
Limited impact with proper input validation and output encoding, potentially only affecting the specific user session without system-wide compromise.
🎯 Exploit Status
User interaction required (victim must view malicious sysName data). Attackers need to control SNMP responses or inject malicious data into sysName OID.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.10.10, 23.04.12, or 22.10.16
Vendor Advisory: https://www.centreon.com/en/security/
Restart Required: Yes
Instructions:
1. Backup your Centreon installation. 2. Update to the patched version (23.10.10, 23.04.12, or 22.10.16). 3. Restart Centreon services. 4. Verify the fix is applied.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for SNMP sysName OID data to filter out script tags and malicious content
# Requires custom Centreon configuration modification
# Consult Centreon documentation for input filtering options
Output Encoding
allEnable output encoding for all sysName data displayed in the web interface
# Configure Centreon to HTML-encode all SNMP data output
# Modify display templates to use proper encoding functions
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Centreon servers from untrusted networks
- Deploy a web application firewall (WAF) with XSS protection rules to filter malicious requests
🔍 How to Verify
Check if Vulnerable:
Check Centreon version via web interface or command line. Vulnerable if version is below 23.10.10, 23.04.12, or 22.10.16.Check Version:
centreon -v or check /usr/share/centreon/www/install/install.phpVerify Fix Applied:
Verify version is 23.10.10, 23.04.12, or 22.10.16 or higher. Test SNMP sysName field with basic XSS payloads to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual SNMP traffic patterns
- Multiple failed SNMP requests
- Unexpected sysName values in Centreon logs
- JavaScript execution errors in web server logs
Network Indicators:
- SNMP responses containing script tags or JavaScript code
- Unusual outbound connections from Centreon server
SIEM Query:
source="centreon" AND (sysName CONTAINS "<script>" OR sysName CONTAINS "javascript:")