CVE-2024-39841
📋 TL;DR
A SQL injection vulnerability in Centreon Web's service configuration functionality allows attackers to execute arbitrary SQL commands. This affects Centreon Web versions 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23. Attackers with access to the service configuration interface can potentially compromise the underlying database.
💻 Affected Systems
- Centreon Web
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, and potential remote code execution on the database server.
Likely Case
Unauthorized data access, modification, or deletion of monitoring configuration and system data.
If Mitigated
Limited impact with proper input validation and database permissions restricting damage to non-critical data.
🎯 Exploit Status
SQL injection vulnerabilities are typically easy to exploit with basic web testing tools. Requires authenticated access to the service configuration interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.04.3, 23.10.13, 23.04.19, or 22.10.23 depending on your version
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/security-bulletin-for-centreon-web-3744
Restart Required: Yes
Instructions:
1. Backup your Centreon configuration and database. 2. Update to the patched version using your package manager (yum update centreon-web or apt-get upgrade centreon-web). 3. Restart Centreon services (systemctl restart centreon). 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall rules to block SQL injection patterns in service configuration requests.
# Example ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
# Configure WAF to filter: UNION, SELECT, INSERT, UPDATE, DELETE, DROP, EXEC, --, #, /*, */, ' OR '1'='1
Access Restriction
linuxRestrict access to Centreon Web service configuration interface to authorized administrators only using network ACLs.
# Example iptables rule: iptables -A INPUT -p tcp --dport 80 -s trusted_ip_range -j ACCEPT
# Example nginx config: location /centreon { allow admin_ip; deny all; }
🧯 If You Can't Patch
- Implement strict database user permissions with least privilege principle
- Enable detailed SQL query logging and monitor for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check Centreon Web version: rpm -qa | grep centreon-web or dpkg -l | grep centreon-web. Compare against affected versions.Check Version:
rpm -q centreon-web || dpkg -l | grep centreon-web || cat /etc/centreon/centreon.conf | grep versionVerify Fix Applied:
Verify version is 24.04.3, 23.10.13, 23.04.19, or 22.10.23 or higher. Test service configuration functionality for SQL injection using safe test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by service configuration access
- SQL syntax errors in web server logs from service configuration endpoints
Network Indicators:
- Unusual database connections from web server IP
- SQL keywords in HTTP POST requests to /centreon/service endpoints
SIEM Query:
source="web_logs" AND (url="*service*" AND (method="POST" OR method="PUT")) AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*" OR query="*--*" OR query="*' OR '*")