CVE-2024-53923
📋 TL;DR
This vulnerability allows authenticated users with high privileges in Centreon Web to perform SQL injection via the media upload form. Attackers could execute arbitrary SQL commands, potentially compromising the database. Affected versions include Centreon Web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, and 23.04.x before 23.04.24.
💻 Affected Systems
- Centreon Web
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, privilege escalation, or remote code execution on the underlying server.
Likely Case
Unauthorized data access, extraction of sensitive information, or database manipulation by authenticated malicious insiders.
If Mitigated
Limited impact if proper privilege separation and input validation are enforced, though SQL injection remains a serious threat.
🎯 Exploit Status
Exploitation requires authenticated access with high privileges, but SQL injection techniques are well-documented and easy to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.10.3, 24.04.9, 23.10.19, 23.04.24
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-53923-centreon-web-critical-severity-4265
Restart Required: Yes
Instructions:
1. Backup your Centreon installation and database. 2. Update Centreon Web to the patched version via the official release channels. 3. Restart the Centreon services to apply changes. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Privileged Access
allTemporarily limit or audit access for users with high privileges to reduce attack surface.
Input Validation at WAF
allImplement web application firewall rules to block SQL injection patterns in media upload requests.
🧯 If You Can't Patch
- Implement strict access controls to limit high-privilege users and monitor their activities.
- Deploy a WAF with SQL injection detection and blocking rules for the media upload endpoint.
🔍 How to Verify
Check if Vulnerable:
Check the Centreon Web version via the web interface or by examining the installation files. If version matches affected ranges, it is vulnerable.Check Version:
grep 'version' /usr/share/centreon/www/install/install.php or check via Centreon web UI under 'Administration > Parameters > Centreon'Verify Fix Applied:
Confirm the Centreon Web version is updated to 24.10.3, 24.04.9, 23.10.19, or 23.04.24 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Failed login attempts followed by media upload activities
- Errors in Centreon application logs related to media uploads
Network Indicators:
- HTTP POST requests to media upload endpoints with SQL-like payloads
- Abnormal database traffic from the Centreon server
SIEM Query:
source="centreon_logs" AND (event="media_upload" AND payload CONTAINS "SELECT" OR "UNION" OR "INSERT" OR "DELETE")