CVE-2024-39842
📋 TL;DR
A SQL injection vulnerability in Centreon 24.04.2 allows authenticated high-privileged attackers to execute arbitrary SQL commands through user massive changes inputs. This could lead to data theft, manipulation, or system compromise. Only Centreon instances with high-privileged user accounts are directly affected.
💻 Affected Systems
- Centreon
📦 What is this software?
Centreon by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of sensitive monitoring data, credential theft, privilege escalation to system-level access, and potential lateral movement to connected systems.
Likely Case
Unauthorized access to monitoring data, modification of alert thresholds or configurations, and potential credential harvesting from the Centreon database.
If Mitigated
Limited impact due to proper input validation, parameterized queries, and restricted database permissions preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated high-privileged access. SQL injection via user massive changes feature is straightforward for attackers with valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.04.3 or later
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/security-bulletin-for-centreon-web-3809
Restart Required: Yes
Instructions:
1. Backup Centreon configuration and database. 2. Update to Centreon 24.04.3 or later via package manager or manual installation. 3. Restart Centreon services. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Disable User Massive Changes Feature
allTemporarily disable the vulnerable user massive changes functionality until patching can be completed.
# Modify Centreon configuration to restrict access to user management features
# Consult Centreon documentation for specific configuration changes
Implement Web Application Firewall Rules
allDeploy WAF rules to block SQL injection patterns in user management requests.
# Example ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403"
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all user management functions
- Restrict database user permissions to minimum required privileges and implement database activity monitoring
🔍 How to Verify
Check if Vulnerable:
Check Centreon version via web interface or command: rpm -qa | grep centreon-webCheck Version:
rpm -qa | grep centreon-web || dpkg -l | grep centreon-webVerify Fix Applied:
Verify version is 24.04.3 or later and test user massive changes functionality with SQL injection test payloads (in safe environment).📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by user management activities
- Suspicious patterns in Centreon web access logs containing SQL keywords
Network Indicators:
- Unusual database connection patterns from Centreon application server
- Large data exfiltration from database server
SIEM Query:
source="centreon.log" AND ("massive" AND "user" AND ("SELECT", "UNION", "INSERT", "DELETE", "UPDATE"))