The security fixes are currently not available.
Independent security researchers have found that the popular free Centreon monitoring system was vulnerable to hacker attacks over the past few years.
Since 2008, versions 2.0 through 2.5.2 inclusive are two holes that allow, among other things, to execute arbitrary code on the target system. In this case, for a successful attack will not have to go through the authentication process.
One of the flaws (CVE-2014-3828) provides an opportunity to carry out the substitution of SQL-queries by transferring certain POST-requests to those scenarios that are available publicly.
The second vulnerability (CVE-2014-3829) allows you to remotely execute arbitrary code on the target system, but for this it is necessary that the authenticated user used the Centreon web-interface. In addition, for compromise of the system attackers should to direct to the script displayServiceStatus.php specially crafted request.
At the moment, the developers have not yet released a security patch for these vulnerabilities.
# Multiple unauthenticated SQL injections and unauthenticated remote
command injection in Centreon <= 2.5.2 and Centreon Enterprise Server <=
2.2|3.0
#
# Product link: http://www.centreon.com/
# CVE references
# |- CVE-2014-3828: Unauthenticated SQL injections
# |- CVE-2014-3829: Unauthenticated remote command injection
# CERT/CC reference: VU#298796
# Author: MaZ >>> See more at: http://seclists.org/fulldisclosure/2014/Oct/78
command injection in Centreon <= 2.5.2 and Centreon Enterprise Server <=
2.2|3.0
#
# Product link: http://www.centreon.com/
# CVE references
# |- CVE-2014-3828: Unauthenticated SQL injections
# |- CVE-2014-3829: Unauthenticated remote command injection
# CERT/CC reference: VU#298796
# Author: MaZ >>> See more at: http://seclists.org/fulldisclosure/2014/Oct/78
No comments:
Post a Comment