CVE-2024-32501
📋 TL;DR
A SQL injection vulnerability in Centreon Web's updateServiceHost function allows attackers to execute arbitrary SQL commands. This affects all Centreon Web installations running vulnerable versions, potentially compromising the monitoring database and system integrity.
💻 Affected Systems
- Centreon Web
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, and potential remote code execution on the underlying server.
Likely Case
Unauthorized database access allowing data extraction, modification, or deletion of monitoring configuration and metrics.
If Mitigated
Limited impact if proper input validation and WAF rules block malicious SQL payloads.
🎯 Exploit Status
SQL injection vulnerabilities typically have low exploitation complexity. Authentication is required to access the vulnerable function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.04.3, 23.10.13, 23.04.19, or 22.10.23 depending on your version
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/security-bulletin-for-centreon-web-3744
Restart Required: Yes
Instructions:
1. Backup your Centreon configuration and database. 2. Update to the patched version using your package manager (yum update centreon-web or apt upgrade centreon-web). 3. Restart the web server service (systemctl restart httpd or systemctl restart apache2). 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation WAF Rule
allImplement web application firewall rules to block SQL injection patterns in updateServiceHost requests
# Example ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
# Configure in your WAF or web server security module
🧯 If You Can't Patch
- Restrict network access to Centreon Web interface to trusted IP addresses only
- Implement strict database user permissions with least privilege principle
🔍 How to Verify
Check if Vulnerable:
Check your Centreon Web version: rpm -qa | grep centreon-web or dpkg -l | grep centreon-web. Compare against affected versions.Check Version:
rpm -qa | grep centreon-web || dpkg -l | grep centreon-web || cat /etc/centreon/centreon.conf.php | grep versionVerify Fix Applied:
After patching, verify version shows 24.04.3, 23.10.13, 23.04.19, or 22.10.23 or higher. Test the updateServiceHost functionality with safe inputs.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts followed by updateServiceHost requests
- Web server logs showing SQL syntax in updateServiceHost parameters
Network Indicators:
- Unusual database connection patterns from web server
- HTTP POST requests to updateServiceHost with SQL keywords
SIEM Query:
source="web_server_logs" AND uri="/centreon/include/configuration/configObject/service/updateServiceHost" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "INSERT" OR request_body CONTAINS "DELETE")