CVE-2024-23118
📋 TL;DR
This SQL injection vulnerability in Centreon's updateContactHostCommands function allows authenticated attackers to execute arbitrary SQL commands, potentially leading to remote code execution. Affected installations of Centreon with vulnerable versions are at risk, requiring attacker authentication to exploit.
💻 Affected Systems
- Centreon
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via SQL injection leading to remote code execution as the database service account, potentially allowing lateral movement and data exfiltration.
Likely Case
Database compromise, data theft, and potential privilege escalation within the Centreon application.
If Mitigated
Limited impact due to proper input validation, parameterized queries, and network segmentation preventing lateral movement.
🎯 Exploit Status
Authentication required but SQL injection exploitation is well-understood with many available tools
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Centreon security advisory for specific patched versions
Vendor Advisory: https://www.centreon.com/en/security/
Restart Required: Yes
Instructions:
1. Check Centreon security advisory for patched version. 2. Backup configuration and database. 3. Apply Centreon update via package manager. 4. Restart Centreon services.
🔧 Temporary Workarounds
Input Validation Enhancement
linuxImplement additional input validation for contact host commands parameters
# Requires code modification - implement parameterized queries in updateContactHostCommands function
Network Segmentation
linuxRestrict Centreon database access to only necessary hosts
iptables -A INPUT -p tcp --dport 3306 -s trusted_hosts -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection rules
- Restrict Centreon user permissions to minimum required and implement strong authentication controls
🔍 How to Verify
Check if Vulnerable:
Check Centreon version against security advisory and verify if updateContactHostCommands function uses parameterized queriesCheck Version:
centreon -v or check /usr/share/centreon/www/install/install.phpVerify Fix Applied:
Verify Centreon version is updated to patched version and test SQL injection attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts followed by SQL syntax in Centreon logs
- Unexpected database user activity
Network Indicators:
- SQL injection patterns in HTTP POST requests to Centreon
- Unusual outbound connections from database server
SIEM Query:
source="centreon.log" AND ("SQL" OR "injection" OR "syntax error") OR source="mysql.log" AND ("SELECT" OR "UNION" OR "EXEC") FROM unknown_source