Centreon SQL Injection Vulnerability

December 9, 2022

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Centreon is a network, system and application monitoring tool. Centreon is the only AIOps Platform Providing Holistic Visibility to Complex IT Workflows from Cloud to Edge.

  A SQL Injection vulnerability has been reported in the Centreon Web Poller Resource module. The vulnerability is due to insufficient input validation.

  A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution against the database on the target server.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-41142.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 7.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  An SQL injection vulnerability exists in Centreon Web, it's due to insufficient validation of the resource_activate request parameter when adding a new poller resource. An HTTP POST request is sent to /centreon/main.get.php with a parameter p set to "60904", main.get.php loads the script www/include/configuration/configResources/resources.php which reads the value of parameter o.

  When adding poller resources parameter o is set to "a", and resources.php loads the script www/include/configuration/configResources/formResources.php. formResources.php reads the submitA request parameter, and if present calls the function insertResourceInDB() in script www/include/configuration/configResources/DBFunc.php.

  insertResourceInDB() calls insertResource() in the same script, then insertResource() assembles an SQL query based on the request parameters and executes. insertResource() sanitizes some of the request parameters, however it fails to sanitize resource_activate. See "Attack Delivery" below for an example of the HTTP POST request that injects an SQL statement against the Centreon database.

Triggering the Problem:

  • The target must have the vulnerable software installed.
  • The attacker must have network connectivity to the target server.
  • The attacker must have access to Configuration > Pollers > Resources page.

Triggering Conditions:

  The attacker authenticates to the server and receives a valid token. Next, the attacker sends an HTTP request with a malicious resource_activate[resource_activate] parameter. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall's, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4098 Web Application SQL Injection (CREATE TABLE) 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product.
    • Filtering attack traffic using the signature above.
  The vendor has released the following patch regarding this vulnerability:
  Vendor Advisory