CVE-2019-16405
published 2019-11-21CVE-2019-16405: Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution by an administrator who can…
PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
27.00%
97.8th percentile
Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution by an administrator who can modify Macro Expression location settings. CVE-2019-16405 and CVE-2019-17501 are similar to one another and may be the same.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| centreon | centreon | — | — |
| centreon | centreon | >= 0 < 18.10.8 | 18.10.8 |
| centreon | centreon | >= 19.0.0 < 19.04.5 | 19.04.5 |
| centreon | centreon_web | < 2.8.30 | 2.8.30 |
| centreon | centreon_web | >= 18.10.0 < 18.10.8 | 18.10.8 |
| centreon | centreon_web | >= 19.04.0 < 19.04.5 | 19.04.5 |
| centreon | centreon_web | >= 19.10.0 < 19.10.2 | 19.10.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to main.get.php with query parameter p=60801 and command_line containing /bin/bash, curl, wget, or chmod — this is the exploit's OS command injection vector via the Centreon command preview endpoint. ↗
- →Detect POST requests to main.get.php with p=60904 modifying resource_name=$USER1$ and resource_line=/ — the exploit resets the Nagios plugin path to root (/) to enable arbitrary binary execution. ↗
- →Alert on the centreon_token regex pattern being extracted from login page responses, combined with subsequent POST to index.php with useralias/password fields — indicates automated Centreon authentication as part of exploit chain. ↗
- →Monitor for execution of binaries dropped to /tmp/ from the Centreon web process (e.g., apache/www-data spawning /tmp/<random> after chmod 777), indicating successful RCE payload delivery. ↗
- →Flag HTTP GET/POST to the Centreon Discovery Commands page (p=60807&type=4) with user-supplied command_line values containing shell metacharacters or binary paths. ↗
- ·The exploit requires valid credentials (authenticated RCE); detection should account for the full attack chain starting from login, not just the command injection step. ↗
- ·CVE-2019-16405 and CVE-2019-17501 are assessed as potentially the same vulnerability; detections written for one should be evaluated against both page parameters (p=60807&type=4 and p=60801). ↗
- ·The Metasploit module defaults SRVPORT to 80 and TARGETURI to /centreon; detections should not assume non-standard ports or paths. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Input Validation in Centreon Web
osv·2021-07-28
CVE-2019-16405 [HIGH] Improper Input Validation in Centreon Web
Improper Input Validation in Centreon Web
Centreon Web 19.04.4 allows Remote Code Execution by an administrator who can modify Macro Expression location settings.
GHSA
Improper Input Validation in Centreon Web
ghsa·2021-07-28
CVE-2019-16405 [HIGH] CWE-20 Improper Input Validation in Centreon Web
Improper Input Validation in Centreon Web
Centreon Web 19.04.4 allows Remote Code Execution by an administrator who can modify Macro Expression location settings.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/155999/Centreon-19.04-Remote-Code-Execution.htmlhttps://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10.htmlhttps://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.htmlhttps://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.10.htmlhttps://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8.htmlhttps://github.com/TheCyberGeek/CVE-2019-16405.rbhttps://github.com/centreon/centreon/pull/7864https://github.com/centreon/centreon/pull/7884https://thecybergeek.co.uk/cves/2019/09/17/CVE-2019-16405-06.htmlhttps://thecybergeek.co.uk/cves/2019/09/19/CVEs.htmlhttp://packetstormsecurity.com/files/155999/Centreon-19.04-Remote-Code-Execution.htmlhttps://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10.htmlhttps://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.htmlhttps://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.10.htmlhttps://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8.htmlhttps://github.com/TheCyberGeek/CVE-2019-16405.rbhttps://github.com/centreon/centreon/pull/7864https://github.com/centreon/centreon/pull/7884https://thecybergeek.co.uk/cves/2019/09/17/CVE-2019-16405-06.htmlhttps://thecybergeek.co.uk/cves/2019/09/19/CVEs.html
2019-11-21
Published