Re: Multiple vulnerabilities in Centreon-Web and Centreon-VM

[Guillaume Quéré <guillaume () quere eu>]

Hello,

My advisory posted yesterday contains a problematic typo: CVE-2019-17017 should have been written CVE-2019-17107. Sorry 
for the inconvenience it may have caused.

Here is the corrected context:
> High impact
> ===========
>
> CVE-2019-17107: Authenticated RCE in minPlayCommand.php
> -------------------------------------------------------
> Details: https://github.com/centreon/centreon/pull/7099
> Fixed in 2.8.27     (https://github.com/centreon/centreon/pull/7245)
> Fixed in 18.10.4    (https://github.com/centreon/centreon/pull/7232)

Original advisory follows.
Guillaume Quéré

> Centreon
> ========
> "Centreon is the N°1 Open Source IT Infrastructure Monitoring Solution."
>
> Multiple vulnerabilites were discovered in Centreon-Web in december 2018 and fixed in early 2019 over the course of 
> two minor releases on both branches in versions 2.8.27/2.8.28 and 18.10.4/18.10.5.
>
> https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.27.html
> https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.28.html
> https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.4.html
> https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.5.html
>
> Additional vulnerabilities were found in Centreon-VM that have not yet been fixed.
>
>
> High impact
> ===========
>
> CVE-2019-17017: Authenticated RCE in minPlayCommand.php
> -------------------------------------------------------
> Details: https://github.com/centreon/centreon/pull/7099
> Fixed in 2.8.27     (https://github.com/centreon/centreon/pull/7245)
> Fixed in 18.10.4    (https://github.com/centreon/centreon/pull/7232)
>
> CVE-2018-21023: Authenticated RCE in getStats.php
> -------------------------------------------------
> Details: https://github.com/centreon/centreon/pull/7083
> Fixed in 2.8.28     (https://github.com/centreon/centreon/pull/7271)
> Fixed in 18.10.5    (https://github.com/centreon/centreon/pull/7195)
>
> CVE-2018-21024: Arbitrary File Upload in licenseUpload.php
> ----------------------------------------------------------
> Details: https://github.com/centreon/centreon/pull/7085
> Did not affect branch 2.8.x
> Fixed in 18.10.4    (https://github.com/centreon/centreon/pull/7171)
>
> CVE-2018-21021: Authenticated SQL injection in img_gantt.php
> ------------------------------------------------------------
> Details: https://github.com/centreon/centreon/pull/7086
> Fixed in 2.8.27     (https://github.com/centreon/centreon/pull/7169)
> Fixed in 18.10.4    (https://github.com/centreon/centreon/pull/7086)
>
> CVE-2018-21022: Authenticated SQL injection in makeXML_ListServices.php
> -----------------------------------------------------------------------
> Details: https://github.com/centreon/centreon/pull/7087
> Fixed in 2.8.28     (https://github.com/centreon/centreon/pull/7229)
> Fixed in 18.10.4    (https://github.com/centreon/centreon/pull/7229)
>
> CVE-2019-17108: Stored XSS in brokerPerformance.php
> ---------------------------------------------------
> Details: https://github.com/centreon/centreon/pull/7101
> Fixed in 2.8.28     (https://github.com/centreon/centreon/pull/7226)
> Fixed in 18.10.5    (https://github.com/centreon/centreon/pull/7227)
>
>
> Medium impact
> =============
> CVE-2018-21025: Privilege Escalation in Centreon-VM
> ---------------------------------------------------
> Details: https://github.com/centreon/centreon/issues/7082
> Not yet fixed.
> While checking if this was still possible in centreon-vm-19.04-2 (it is), I found another similar privesc which 
> didn't exist at the time:
> ```
> [root@centreon-central ~]# grep centreon_autodisco /etc/cron.d/centreon-auto-disco
> 30 22 * * * root /usr/share/centreon/www/modules/centreon-autodiscovery-server//cron/centreon_autodisco 
> --config='/etc/centreon/conf.pm' --config-extra='/etc/centreon/centreon_autodisco.pm' --severity=error >> 
> /var/log/centreon/centreon_auto_discovery.log 2>&1
> [root@centreon-central ~]# ls -la 
> /usr/share/centreon/www/modules/centreon-autodiscovery-server//cron/centreon_autodisco
> -rwxr-xr-x 1 apache apache 4995482 24 avril 13:48 
> /usr/share/centreon/www/modules/centreon-autodiscovery-server//cron/centreon_autodisco
> ```
>
> CVE-2019-17104: Unsecured cookies in Centreon-VM
> ------------------------------------------------
> Details: https://github.com/centreon/centreon/issues/7097
> Not yet fixed.
>
> CVE-2019-17106: Display of cleartext external passwords in modules
> ------------------------------------------------------------------
> Details: https://github.com/centreon/centreon/issues/7098
> Not yet fixed.
>
>
> Low impact
> ==========
> CVE-2018-21020: Type juggling on authentication in centreonAuth.class.php
> -------------------------------------------------------------------------
> Details: https://github.com/centreon/centreon/pull/7084
> Fixed in 2.8.28     (https://github.com/centreon/centreon/pull/7084)
> Fixed in 18.10.5    (https://github.com/centreon/centreon/pull/7219)
>
> CVE-2019-17105: Usage of a predictable generator for a security token in index.php
> ----------------------------------------------------------------------------------
> Details: https://github.com/centreon/centreon/pull/7100
> Not fixed in 2.8.x  (https://github.com/centreon/centreon/pull/7224)
> Fixed in 18.10.5    (commit 4faf5919f89bd06a5c25152c39ba3f25a4f16a81)
>
>
> Acknowledgements
> ================
> Thanks to Centreon for their quick and enthusiastic response as well as their commitment to patching.
>
> Guillaume Quéré