Summary: Centreon has issued a critical security bulletin regarding multiple SQL injection vulnerabilities in its Centreon Web interface, which could severely impact organizations using the platform. The vulnerabilities, with CVSS scores up to 9.1, necessitate immediate action to prevent potential exploitation.
Threat Actor: Unknown | SQL injection attackers
Victim: Centreon users | Centreon
Key Point :
- Multiple SQL injection vulnerabilities identified in Centreon Web, including CVE-2024-32501, CVE-2024-33852, and others.
- All on-premise versions of Centreon Web are vulnerable, with potential for severe consequences if unpatched.
- Centreon has released updates for supported versions to address these vulnerabilities, urging users to upgrade immediately.
Centreon, a widely-used open-source monitoring solution, has issued a critical security bulletin addressing multiple SQL injection vulnerabilities in its Centreon Web interface. These vulnerabilities, identified as CVE-2024-32501, CVE-2024-33852, CVE-2024-33853, CVE-2024-33854, CVE-2024-5725, and CVE-2024-39841, pose a significant risk to organizations relying on Centreon for IT infrastructure monitoring. With CVSS scores as high as 9.1, these flaws could lead to severe consequences if left unpatched.
Centreon Web serves as the central hub for administrators and operators to manage and monitor their IT infrastructure through the Centreon platform. However, the discovery of these SQL injection vulnerabilities has exposed all on-premise versions of Centreon Web to potential exploitation.
- CVE-2024-32501: A SQL injection vulnerability in the updateServiceHost function.
- CVE-2024-33852 (CVSS 9.1): SQL injection in the Downtime component, allowing attackers to manipulate the database and extract sensitive information.
- CVE-2024-33853 (CVSS 9.1): SQL injection in the Timeperiod component, which could be exploited to compromise the database.
- CVE-2024-33854: SQL injection in the Graph Template component, posing a serious threat to data integrity.
- CVE-2024-5725 (CVSS 8.8): SQL injection in the Metric Image component, enabling unauthorized access to the database.
- CVE-2024-39841 (CVSS 8.8): SQL injection via service configuration, potentially allowing attackers to gain control over the Centreon Web system.
While Centreon is not aware of any incidents where these vulnerabilities have been exploited, the potential for exploitation is high, particularly if an instance of Centreon Web is exposed to the internet. The impact of a successful attack could be severe, including unauthorized access to sensitive data, database corruption, or even complete system compromise.
All on-premise versions of Centreon Web are vulnerable to these SQL injection attacks. The vulnerabilities affect the core components of Centreon Web, making it crucial for all users to take immediate action.
Centreon has released updates for all supported versions of Centreon Web to address these critical vulnerabilities. The recommended versions with cumulative fixes include:
- Centreon Web 24.04.3
- Centreon Web 23.10.13
- Centreon Web 23.04.19
- Centreon Web 22.10.23
Users running unsupported versions of Centreon Web are strongly urged to upgrade to version 24.04 to ensure their systems are protected. Centreon Cloud platforms have already been updated with the necessary patches.