#VU35769 Command Injection in Centreon - CVE-2019-13024
Published: July 1, 2019 / Updated: June 17, 2021
Vulnerability identifier: #VU35769
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2019-13024
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Centreon
Centreon
Software vendor:
Centreon
Centreon
Description
The vulnerability allows a remote authenticated user to execute arbitrary code.
Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).
Remediation
Install update from vendor's website.
External links
- http://packetstormsecurity.com/files/153504/Centreon-19.04-Remote-Code-Execution.html
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.6.html
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04/centreon-19.04.3.html
- https://gist.github.com/mhaskar/c4255f6cf45b19b8a852c780f50576da
- https://github.com/centreon/centreon/pull/7694
- https://shells.systems/centreon-v19-04-remote-code-execution-cve-2019-13024/