Command Injection in Centreon - CVE-2019-13024
Published: July 1, 2019 / Updated: June 17, 2021
Vulnerability identifier: #VU35769
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2019-13024
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Centreon
Affected software:
Centreon
Centreon
Detailed vulnerability description
The vulnerability allows a remote authenticated user to execute arbitrary code.
Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).
How to mitigate CVE-2019-13024
Install update from vendor's website.
Sources
- http://packetstormsecurity.com/files/153504/Centreon-19.04-Remote-Code-Execution.html
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.6.html
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04/centreon-19.04.3.html
- https://gist.github.com/mhaskar/c4255f6cf45b19b8a852c780f50576da
- https://github.com/centreon/centreon/pull/7694
- https://shells.systems/centreon-v19-04-remote-code-execution-cve-2019-13024/