Attacker Value
Very High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2020-9463

Disclosure Date: February 28, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Centreon 19.10 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the server_ip field in JSON data in an api/internal.php?object=centreon_configuration_remote request.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Low
Technical Analysis

Centreon is an Open Source Centralised IT management solution. When installed in a corporate network it is used to query all other devices. This makes it a high value target for attackers for several reasons:

  • Source of all networked devices and configuration.
  • Could be used to pivot across the network.
  • Use as a staging /beachhead host this is expected to talk to other devices on the network.

There is no indication of an active userbase from the Products website. the official Github repository as no more than a few hundred stars and forks.
A quick shodan search reveals around 40 internet facing applications.

This vulnerability appears to be post exploitation so an attacker would require either valid credentials or the ability to launch a password attack against the target.

The publicly listed blog post https://code610.blogspot.com/2020/02/postauth-rce-in-centreon-1910.html includes steps to reproduce but doesn’t provide a PoC script. That being said it would be trivial with a few lines of python to create a simple PoC Script.
The only tested version was 19.10,

At the time of writing there does not appear to be any official patch and the website is still serving vulnerable versions. Whilst a full review has not been completed a check of the github repo suggests that all versions are potentially vulnerable

General Information

Additional Info

Technical Analysis