<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Multiple vulnerabilities in Centreon-Web and Centreon-VM
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Guillaume Quéré <guillaume () quere eu>
Date: Wed, 9 Oct 2019 07:53:36 +0200 (CEST)
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello,
My advisory posted yesterday contains a problematic typo: CVE-2019-17017 should have been written CVE-2019-17107. Sorry
for the inconvenience it may have caused.
Here is the corrected context:
High impact
===========
CVE-2019-17107: Authenticated RCE in minPlayCommand.php
-------------------------------------------------------
Details: https://github.com/centreon/centreon/pull/7099
Fixed in 2.8.27 (https://github.com/centreon/centreon/pull/7245)
Fixed in 18.10.4 (https://github.com/centreon/centreon/pull/7232)
Original advisory follows.
Guillaume Quéré
Centreon
========
"Centreon is the N°1 Open Source IT Infrastructure Monitoring Solution."
Multiple vulnerabilites were discovered in Centreon-Web in december 2018 and fixed in early 2019 over the course of
two minor releases on both branches in versions 2.8.27/2.8.28 and 18.10.4/18.10.5.
https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.27.html
https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.28.html
https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.4.html
https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.5.html
Additional vulnerabilities were found in Centreon-VM that have not yet been fixed.
High impact
===========
CVE-2019-17017: Authenticated RCE in minPlayCommand.php
-------------------------------------------------------
Details: https://github.com/centreon/centreon/pull/7099
Fixed in 2.8.27 (https://github.com/centreon/centreon/pull/7245)
Fixed in 18.10.4 (https://github.com/centreon/centreon/pull/7232)
CVE-2018-21023: Authenticated RCE in getStats.php
-------------------------------------------------
Details: https://github.com/centreon/centreon/pull/7083
Fixed in 2.8.28 (https://github.com/centreon/centreon/pull/7271)
Fixed in 18.10.5 (https://github.com/centreon/centreon/pull/7195)
CVE-2018-21024: Arbitrary File Upload in licenseUpload.php
----------------------------------------------------------
Details: https://github.com/centreon/centreon/pull/7085
Did not affect branch 2.8.x
Fixed in 18.10.4 (https://github.com/centreon/centreon/pull/7171)
CVE-2018-21021: Authenticated SQL injection in img_gantt.php
------------------------------------------------------------
Details: https://github.com/centreon/centreon/pull/7086
Fixed in 2.8.27 (https://github.com/centreon/centreon/pull/7169)
Fixed in 18.10.4 (https://github.com/centreon/centreon/pull/7086)
CVE-2018-21022: Authenticated SQL injection in makeXML_ListServices.php
-----------------------------------------------------------------------
Details: https://github.com/centreon/centreon/pull/7087
Fixed in 2.8.28 (https://github.com/centreon/centreon/pull/7229)
Fixed in 18.10.4 (https://github.com/centreon/centreon/pull/7229)
CVE-2019-17108: Stored XSS in brokerPerformance.php
---------------------------------------------------
Details: https://github.com/centreon/centreon/pull/7101
Fixed in 2.8.28 (https://github.com/centreon/centreon/pull/7226)
Fixed in 18.10.5 (https://github.com/centreon/centreon/pull/7227)
Medium impact
=============
CVE-2018-21025: Privilege Escalation in Centreon-VM
---------------------------------------------------
Details: https://github.com/centreon/centreon/issues/7082
Not yet fixed.
While checking if this was still possible in centreon-vm-19.04-2 (it is), I found another similar privesc which
didn't exist at the time:
```
[root@centreon-central ~]# grep centreon_autodisco /etc/cron.d/centreon-auto-disco
30 22 * * * root /usr/share/centreon/www/modules/centreon-autodiscovery-server//cron/centreon_autodisco
--config='/etc/centreon/conf.pm' --config-extra='/etc/centreon/centreon_autodisco.pm' --severity=error >>
/var/log/centreon/centreon_auto_discovery.log 2>&1
[root@centreon-central ~]# ls -la
/usr/share/centreon/www/modules/centreon-autodiscovery-server//cron/centreon_autodisco
-rwxr-xr-x 1 apache apache 4995482 24 avril 13:48
/usr/share/centreon/www/modules/centreon-autodiscovery-server//cron/centreon_autodisco
```
CVE-2019-17104: Unsecured cookies in Centreon-VM
------------------------------------------------
Details: https://github.com/centreon/centreon/issues/7097
Not yet fixed.
CVE-2019-17106: Display of cleartext external passwords in modules
------------------------------------------------------------------
Details: https://github.com/centreon/centreon/issues/7098
Not yet fixed.
Low impact
==========
CVE-2018-21020: Type juggling on authentication in centreonAuth.class.php
-------------------------------------------------------------------------
Details: https://github.com/centreon/centreon/pull/7084
Fixed in 2.8.28 (https://github.com/centreon/centreon/pull/7084)
Fixed in 18.10.5 (https://github.com/centreon/centreon/pull/7219)
CVE-2019-17105: Usage of a predictable generator for a security token in index.php
----------------------------------------------------------------------------------
Details: https://github.com/centreon/centreon/pull/7100
Not fixed in 2.8.x (https://github.com/centreon/centreon/pull/7224)
Fixed in 18.10.5 (commit 4faf5919f89bd06a5c25152c39ba3f25a4f16a81)
Acknowledgements
================
Thanks to Centreon for their quick and enthusiastic response as well as their commitment to patching.
Guillaume Quéré
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Multiple vulnerabilities in Centreon-Web and Centreon-VM Guillaume Quéré (Oct 08)
Re: Multiple vulnerabilities in Centreon-Web and Centreon-VM Guillaume Quéré (Oct 08)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->