CVE-2015-1561 in Centreon
Summary
by MITRE
The escape_command function in include/Administration/corePerformance/getStats.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ns_id parameter.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/13/2025
The vulnerability identified as CVE-2015-1561 affects Centreon version 2.5.4 and earlier, specifically within the Administration/corePerformance/getStats.php component. This issue represents a critical command injection flaw that stems from improper input validation in the escape_command function. The vulnerability arises when authenticated users exploit a flaw in the regular expression pattern used to sanitize user-supplied input, particularly targeting the ns_id parameter. The incorrect regex implementation fails to properly neutralize shell metacharacters, creating an avenue for malicious command execution.
This vulnerability operates under the Common Weakness Enumeration category CWE-78, which specifically addresses improper neutralization of special elements used in operating system commands. The flaw allows authenticated attackers to inject arbitrary shell commands through the ns_id parameter, effectively bypassing intended security controls. The attack requires only authentication privileges within the Centreon system, making it particularly dangerous as it can be exploited by users with legitimate access rights. The technical implementation relies on the flawed regular expression pattern that inadequately handles special shell characters such as semicolons, pipes, and backticks that could trigger command execution.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it enables full system compromise by allowing attackers to execute arbitrary commands with the privileges of the web application user. This creates a significant risk for network monitoring and management systems, where Centreon typically runs with elevated permissions to access network infrastructure data. Attackers could potentially gain access to sensitive network information, modify monitoring configurations, or even pivot to other systems within the network infrastructure. The vulnerability affects the core performance monitoring functionality, which is fundamental to network operations and security monitoring.
Mitigation strategies for CVE-2015-1561 should focus on immediate patching of the Centreon application to version 2.5.5 or later, which contains the corrected escape_command function with proper regular expression handling. Organizations should implement network segmentation and access controls to limit authentication privileges for Centreon users, reducing the potential impact of successful exploitation. Input validation should be strengthened through proper sanitization techniques that do not rely solely on regular expressions for command injection prevention. Additionally, monitoring for suspicious command execution patterns and implementing web application firewalls can provide defense-in-depth measures against exploitation attempts. The vulnerability also aligns with ATT&CK technique T1059.001 for command and script injection, highlighting the need for comprehensive security controls across multiple defensive layers.