Miggo Logo

CVE-2018-21025: Centreon Privilege Escalation

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.44566%
Published
5/24/2022
Updated
10/5/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
centreon/centreoncomposer<= 19.04.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from centreon-backup.pl's insecure handling of configuration values. The script uses $centreon_config->{CentreonDir} from the world-writable conf.pm file to construct paths for executing centreon-backup-mysql.sh. Since the configuration file is group-writable and apache is part of the centreon group, attackers can modify CentreonDir to point to a malicious script. The cron job executes centreon-backup.pl as root, leading to privilege escalation. While no specific named functions are mentioned in disclosures, the main script execution flow that parses the insecure configuration and executes external commands is clearly implicated.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In **ntr*on VM t*rou** **.**.*, **ntr*on-***kup.pl *llows *tt**k*rs to ***om* root vi* * *r**t** s*ript, *u* to in*orr**t ri**ts o* sour*** *on*i*ur*tion *il*s.

Reasoning

T** vuln*r**ility st*ms *rom `**ntr*on-***kup.pl`'s ins**ur* **n*lin* o* *on*i*ur*tion v*lu*s. T** s*ript us*s `$**ntr*on_*on*i*->{**ntr*on*ir}` *rom t** worl*-writ**l* `*on*.pm` *il* to *onstru*t p*t*s *or *x**utin* `**ntr*on-***kup-mysql.s*`. Sin**