CVE-2021-37558 in Centreon
Summary
by MITRE • 08/03/2021
A SQL injection vulnerability in a MediaWiki script in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote unauthenticated attackers to execute arbitrary SQL commands via the host_name and service_description parameters. The vulnerability can be exploited only when a valid Knowledge Base URL is configured on the Knowledge Base configuration page and points to a MediaWiki instance. This relates to the proxy feature in class/centreon-knowledge/ProceduresProxy.class.php and include/configuration/configKnowledge/proxy/proxy.php.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/07/2021
This vulnerability represents a critical SQL injection flaw in Centreon's Knowledge Base functionality that enables remote attackers to execute arbitrary database commands without authentication. The issue resides within the proxy implementation that connects to external MediaWiki instances, specifically affecting versions prior to 20.04.14, 20.10.8, and 21.04.2. The vulnerability manifests when a valid Knowledge Base URL is configured to point to a MediaWiki instance, creating a pathway for malicious exploitation through the host_name and service_description parameters that are processed by the proxy feature.
The technical flaw operates through the improper sanitization of user-supplied input within the ProceduresProxy.class.php class and the proxy.php include file. When Centreon's Knowledge Base configuration points to a MediaWiki instance, the system uses a proxy mechanism to fetch and display content from that external source. The host_name and service_description parameters are directly incorporated into SQL queries without adequate input validation or parameterization, creating a classic SQL injection vector. This vulnerability aligns with CWE-89, which specifically addresses SQL injection flaws where untrusted data is used in SQL commands without proper sanitization.
The operational impact of this vulnerability is significant as it allows attackers to perform unauthorized database operations including data extraction, modification, or deletion. Remote unauthenticated access means that adversaries can exploit this weakness from anywhere on the internet without requiring valid credentials, making it particularly dangerous for networked systems. Attackers could potentially extract sensitive configuration data, user credentials stored in the database, or manipulate the knowledge base content to serve malicious purposes. The attack surface is limited to systems where the Knowledge Base feature is configured with a valid MediaWiki URL, but this configuration is common in enterprise monitoring environments where centralized knowledge management is implemented.
Organizations should immediately apply the available patches for Centreon versions 20.04.14, 20.10.8, and 21.04.2 to address this vulnerability. In the interim, administrators should disable the Knowledge Base feature if it is not actively required, or ensure that any configured MediaWiki URLs point to trusted and secure instances only. Network segmentation and firewall rules should be implemented to restrict access to the affected components. Additionally, monitoring for unusual database queries or unauthorized access attempts should be enhanced to detect potential exploitation attempts. This vulnerability demonstrates the importance of input validation in proxy implementations and aligns with ATT&CK technique T1190, which covers exploitation of remote services through injection attacks. The flaw also represents a configuration management issue that could be mitigated through proper security hardening practices and regular vulnerability assessments of third-party integrations.