Vulnerability identifier: #VU35769

Vulnerability risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-13024

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Centreon
Web applications / Remote management & hosting panels

Vendor: Centreon

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).

Mitigation
Install update from vendor's website.

Vulnerable software versions

Centreon: 19.04.0

---

External links
http://packetstormsecurity.com/files/153504/Centreon-19.04-Remote-Code-Execution.html
http://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.6.html
http://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04/centreon-19.04.3.html
http://gist.github.com/mhaskar/c4255f6cf45b19b8a852c780f50576da
http://github.com/centreon/centreon/pull/7694
http://shells.systems/centreon-v19-04-remote-code-execution-cve-2019-13024/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.