oss-sec mailing list archives
Re: Multiple vulnerabilities in Centreon-Web and Centreon-VM
From: Guillaume Quéré <guillaume () quere eu>
Date: Wed, 9 Oct 2019 07:53:36 +0200 (CEST)
Hello, My advisory posted yesterday contains a problematic typo: CVE-2019-17017 should have been written CVE-2019-17107. Sorry for the inconvenience it may have caused. Here is the corrected context:
High impact =========== CVE-2019-17107: Authenticated RCE in minPlayCommand.php ------------------------------------------------------- Details: https://github.com/centreon/centreon/pull/7099 Fixed in 2.8.27 (https://github.com/centreon/centreon/pull/7245) Fixed in 18.10.4 (https://github.com/centreon/centreon/pull/7232)
Original advisory follows. Guillaume Quéré
Centreon ======== "Centreon is the N°1 Open Source IT Infrastructure Monitoring Solution." Multiple vulnerabilites were discovered in Centreon-Web in december 2018 and fixed in early 2019 over the course of two minor releases on both branches in versions 2.8.27/2.8.28 and 18.10.4/18.10.5. https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.27.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.28.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.4.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.5.html Additional vulnerabilities were found in Centreon-VM that have not yet been fixed. High impact =========== CVE-2019-17017: Authenticated RCE in minPlayCommand.php ------------------------------------------------------- Details: https://github.com/centreon/centreon/pull/7099 Fixed in 2.8.27 (https://github.com/centreon/centreon/pull/7245) Fixed in 18.10.4 (https://github.com/centreon/centreon/pull/7232) CVE-2018-21023: Authenticated RCE in getStats.php ------------------------------------------------- Details: https://github.com/centreon/centreon/pull/7083 Fixed in 2.8.28 (https://github.com/centreon/centreon/pull/7271) Fixed in 18.10.5 (https://github.com/centreon/centreon/pull/7195) CVE-2018-21024: Arbitrary File Upload in licenseUpload.php ---------------------------------------------------------- Details: https://github.com/centreon/centreon/pull/7085 Did not affect branch 2.8.x Fixed in 18.10.4 (https://github.com/centreon/centreon/pull/7171) CVE-2018-21021: Authenticated SQL injection in img_gantt.php ------------------------------------------------------------ Details: https://github.com/centreon/centreon/pull/7086 Fixed in 2.8.27 (https://github.com/centreon/centreon/pull/7169) Fixed in 18.10.4 (https://github.com/centreon/centreon/pull/7086) CVE-2018-21022: Authenticated SQL injection in makeXML_ListServices.php ----------------------------------------------------------------------- Details: https://github.com/centreon/centreon/pull/7087 Fixed in 2.8.28 (https://github.com/centreon/centreon/pull/7229) Fixed in 18.10.4 (https://github.com/centreon/centreon/pull/7229) CVE-2019-17108: Stored XSS in brokerPerformance.php --------------------------------------------------- Details: https://github.com/centreon/centreon/pull/7101 Fixed in 2.8.28 (https://github.com/centreon/centreon/pull/7226) Fixed in 18.10.5 (https://github.com/centreon/centreon/pull/7227) Medium impact ============= CVE-2018-21025: Privilege Escalation in Centreon-VM --------------------------------------------------- Details: https://github.com/centreon/centreon/issues/7082 Not yet fixed. While checking if this was still possible in centreon-vm-19.04-2 (it is), I found another similar privesc which didn't exist at the time: ``` [root@centreon-central ~]# grep centreon_autodisco /etc/cron.d/centreon-auto-disco 30 22 * * * root /usr/share/centreon/www/modules/centreon-autodiscovery-server//cron/centreon_autodisco --config='/etc/centreon/conf.pm' --config-extra='/etc/centreon/centreon_autodisco.pm' --severity=error >> /var/log/centreon/centreon_auto_discovery.log 2>&1 [root@centreon-central ~]# ls -la /usr/share/centreon/www/modules/centreon-autodiscovery-server//cron/centreon_autodisco -rwxr-xr-x 1 apache apache 4995482 24 avril 13:48 /usr/share/centreon/www/modules/centreon-autodiscovery-server//cron/centreon_autodisco ``` CVE-2019-17104: Unsecured cookies in Centreon-VM ------------------------------------------------ Details: https://github.com/centreon/centreon/issues/7097 Not yet fixed. CVE-2019-17106: Display of cleartext external passwords in modules ------------------------------------------------------------------ Details: https://github.com/centreon/centreon/issues/7098 Not yet fixed. Low impact ========== CVE-2018-21020: Type juggling on authentication in centreonAuth.class.php ------------------------------------------------------------------------- Details: https://github.com/centreon/centreon/pull/7084 Fixed in 2.8.28 (https://github.com/centreon/centreon/pull/7084) Fixed in 18.10.5 (https://github.com/centreon/centreon/pull/7219) CVE-2019-17105: Usage of a predictable generator for a security token in index.php ---------------------------------------------------------------------------------- Details: https://github.com/centreon/centreon/pull/7100 Not fixed in 2.8.x (https://github.com/centreon/centreon/pull/7224) Fixed in 18.10.5 (commit 4faf5919f89bd06a5c25152c39ba3f25a4f16a81) Acknowledgements ================ Thanks to Centreon for their quick and enthusiastic response as well as their commitment to patching. Guillaume Quéré
Current thread:
- Multiple vulnerabilities in Centreon-Web and Centreon-VM Guillaume Quéré (Oct 08)
- Re: Multiple vulnerabilities in Centreon-Web and Centreon-VM Guillaume Quéré (Oct 08)