SNS Vulnerability

Merethis Centreon Blind SQL Injection and Authenticated Remote Command Execution Vulnerability

Description

Two vulnerabilities have been identified in Merethis Centreon :
- CVE-2015-1560: blind SQL injection in the 'sid' parameter of the "include/common/XmlTree/GetXmlTree.php" script page. A remote attacker can exploit it in order to execute arbitrary SQL commands
- CVE-2015-1561: insufficient validation of parameter "ns_id" by the "escape_command()" function of the "include/Administration/corePerformance/getStats.php" web page. An authenticated attacker can exploit it via shell metacharacters in order to execute arbitrary commands.
Proofs of concept are available.

Vulnerable Products

Vulnerable Software:
Centreon (Merethis) - 1.4, 1.4.1, 1.4.2, 1.4.2.1, 1.4.2.2, ..., 2.3.9, 2.3.9-4, 2.5.2, 2.5.3, 2.5.4

Solution

Merethis has released patches for Centreon that fix these vulnerabilities.

CVE

CVE-2015-1561
CVE-2015-1560

References

- Bugtraq : Merethis Centreon Unauthenticated blind SQLi and Authenticated Remote Command Execution
http://seclists.org/bugtraq/2015/Jul/47

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
SQL injection Prevention - GET : suspicious OR statement in URL	3.2.0
SQL injection Prevention - GET : suspicious combination of 'OR' or 'AND' statements in URL	3.2.0
SQL injection Prevention - GET : suspicious CREATE statement in URL	3.2.0
SQL injection Prevention - GET : suspicious CAST statement in URL	3.2.0
SQL injection Prevention - GET : suspicious OPENROWSET statement in URL	3.2.0
SQL injection Prevention - GET : suspicious DECLARE statement in URL	3.2.0
SQL injection Prevention - GET : suspicious OPENQUERY statement in URL	3.2.0
SQL injection Prevention - GET : suspicious shutdown statement in URL	3.2.0
SQL injection Prevention - GET : suspicious UNION SELECT statement in URL	3.2.0
SQL injection Prevention - GET : possible database version probing	3.2.0
SQL injection Prevention - GET : suspicious UPDATE SET statement in URL	3.2.0
SQL injection Prevention - GET : suspicious SELECT statement in URL	3.2.0
SQL injection Prevention - GET : suspicious INSERT statement in URL	3.2.0
SQL injection Prevention - GET : suspicious DROP statement in URL	3.2.0
SQL injection Prevention - GET : suspicious EXEC statement in URL	3.2.0
SQL injection Prevention - GET : block comment delimiters in URL	3.2.0
SQL injection Prevention - GET : suspicious SQL statement in header	4.0.0
SQL injection Prevention - GET : Authentication bypass attempt with OR statement	5.0.0
Centreon authenticated remote code execution	5.0.0

Risk level

Moderate

Vulnerability First Public Report Date

2015-07-08

Target Type

Server

Possible exploit

Remote