CVE-2024-5725
📋 TL;DR
This SQL injection vulnerability in Centreon's initCurveList function allows authenticated remote attackers to execute arbitrary SQL commands, potentially leading to remote code execution as the apache user. It affects Centreon installations where attackers have valid credentials. The vulnerability stems from improper input validation in SQL query construction.
💻 Affected Systems
- Centreon
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via remote code execution, data exfiltration, lateral movement within network, and persistent backdoor installation.
Likely Case
Database compromise leading to sensitive information disclosure, privilege escalation, and potential RCE if database permissions allow.
If Mitigated
Limited to authenticated users only, reducing attack surface; proper input validation would prevent exploitation entirely.
🎯 Exploit Status
Authentication required but SQL injection to RCE chain is straightforward once authenticated
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Centreon security bulletin for specific patched versions
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/security-bulletin-for-centreon-web-3744
Restart Required: Yes
Instructions:
1. Check current Centreon version. 2. Apply vendor-provided security patches. 3. Restart Centreon services. 4. Verify patch application.
🔧 Temporary Workarounds
Input Validation Enhancement
linuxImplement additional input validation for the initCurveList function parameters
Web Application Firewall Rules
allDeploy WAF rules to block SQL injection patterns targeting Centreon endpoints
🧯 If You Can't Patch
- Restrict network access to Centreon web interface to trusted IPs only
- Implement strong authentication controls and monitor for suspicious login attempts
🔍 How to Verify
Check if Vulnerable:
Check Centreon version against vendor advisory; test for SQL injection in initCurveList function with authenticated sessionCheck Version:
Check Centreon web interface version or consult installation documentationVerify Fix Applied:
Verify Centreon version is updated to patched version; test SQL injection attempts no longer succeed📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts followed by SQL errors
- Apache error logs showing SQL syntax errors
Network Indicators:
- Unusual outbound connections from Centreon server
- SQL injection patterns in HTTP requests to Centreon endpoints
SIEM Query:
source="centreon_logs" AND (message="SQL" OR message="injection" OR message="syntax")