CVE-2024-23116
📋 TL;DR
This SQL injection vulnerability in Centreon's updateLCARelation function allows authenticated remote attackers to execute arbitrary SQL commands, potentially leading to remote code execution. Attackers can leverage this to compromise affected Centreon installations and execute code with service account privileges. Organizations running vulnerable Centreon versions are affected.
💻 Affected Systems
- Centreon
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal sensitive data, pivot to other systems, and maintain persistent access.
Likely Case
Database compromise leading to data theft, privilege escalation, and potential lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation, minimal service account privileges, and SQL injection protections in place.
🎯 Exploit Status
Authentication required but SQL injection to RCE chain is well-documented; exploit likely to be developed quickly
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Centreon security advisory for specific patched version
Vendor Advisory: https://www.centreon.com/en/security/
Restart Required: Yes
Instructions:
1. Check Centreon security advisory for exact patch version
2. Backup Centreon installation and database
3. Apply Centreon update via package manager or manual update
4. Restart Centreon services
5. Verify patch application
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation for the updateLCARelation function parameters
Not applicable - requires code modification
WAF Rule Implementation
allDeploy web application firewall rules to detect and block SQL injection attempts
WAF-specific configuration commands
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Centreon from critical systems
- Enforce strong authentication policies and monitor for brute force attempts
🔍 How to Verify
Check if Vulnerable:
Check Centreon version against vendor advisory; examine if updateLCARelation function lacks proper input sanitizationCheck Version:
centreon -v or check Centreon web interface version informationVerify Fix Applied:
Verify Centreon version matches patched version in advisory; test SQL injection attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in Centreon logs
- Multiple authentication attempts followed by updateLCARelation calls
- Error messages containing SQL syntax
Network Indicators:
- SQL injection patterns in HTTP POST requests to Centreon
- Unusual outbound connections from Centreon server
SIEM Query:
source="centreon.log" AND ("updateLCARelation" AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE"))