Critical vulnerability discovered in MISP
MISP is an Open Source Threat Intelligence Platform meant for sharing security-related information between various organizations. MISP is supported financially and in terms of resources by Computer Incident Response Center Luxembourg – CIRCL.
CIRCL is an organization that provides a reliable and trusted point of contact for any users, companies, and organizations based in Luxembourg, for the handling of attacks and incidents.
MISP is a very mature platform developed for over 10 years. CIRCL – The main developers are highly advanced and skilled in secure coding. They deal with cyber threats constantly and they develop MISP with the highest standards of security. Many security mechanisms within MISP often increase the difficulty to exploit potential vulnerabilities such as request blackholing, content security policy, and more.
Additionally, MISP is based on the Cake PHP framework that is built in a concept of security by default.
Over 460 people contributed to the MISP project, which is used by multiple organizations such as NATO, CiviCERT, CSSA Cyber Security Sharing & Analytics (CSSA), or FIRST.
MISP is a huge platform supported by hundreds of contributors. Its source code is updated every few days and a new version release is done once per month on average. This increases the possibility of introducing a new vulnerability. The attack surface is big due to the size of the MISP platform and still increasing.
Moreover, MISP is used by more than 600 organizations worldwide, which makes it a valuable target for an attack. Because MISP is used by big organizations such as NATO and National CERTs it has to withstand nation state-level attacks with highly motivated threat actors.
Multiple dangerous scenarios could be possible when a threat actor identifies appropriate vulnerability such as:
- Harm users or organizations that are using MISP
- Compromise the integrity of the data within the particular MISP instance
- Access internal network assets of organizations maintaining MISP instances
- Exfiltrate confidential information by unprivileged users
- Spoof users of the platform
We already reported multiple MISP vulnerabilities to CIRCL and the process is very often pretty similar.
- We set up the environment – since it’s Open Source, there is rarely a need for some actions from the customer in such projects
- We started testing MISP to discover vulnerabilities that could harm users or organizations that are running this platform
- Vulnerabilities were reported to CIRCL after discovery with the description and a Proof of Concept such as URLs and screen shots of exploitation
- CIRCL patches identified vulnerabilities. In this case, one vulnerability was very severe with a score of 9.9 out of 10. For that reason, CIRCL decided to release a silent patch and inform organizations about the vulnerability so the organizations are aware of the potential impacts and can take proactive actions such as urgent updates, implementation of protective signatures, or others.
- The descriptions of the vulnerabilities were disclosed a few weeks after the new version with patched vulnerability was released.
There are many different ways of discovering vulnerabilities in such web applications. We chose a few that had the best chance for finding vulnerabilities:
- Grey-box penetration test – this approach is usually the best for internal web applications or applications where the vast majority of functionalities are available only to authenticated users. Since the platform is accessible only to authenticated users, we chose this method as the main one.
- Automated source code scan – This method is very fast in terms of producing findings however it usually results in a huge amount of false positives – places in the code falsely marked as vulnerabilities. We chose this method as a quick way of discovering low-hanging fruits.
- Manual source code review – Source code scan is always followed by a manual source code review by us to remove false positives.
- Past vulnerabilities – Looking for security issues similar to publicly known vulnerabilities in older versions of MISP was selected as one of the approaches due to a large attack surface. A large attack surface increases the probability of introducing a vulnerability despite the highly advanced and security-aware MISP developers team.
Stealing sensitive information
Unauthorized modification of data
Disrupting access to the platform
During the security testing, we managed to discover 2 vulnerabilities that were correctly patched by the MISP team: critical and medium severity.
- A critical vulnerability allowed authenticated users to execute commands on the operating system of the MISP application. This could result in stealing sensitive information from the platform, stealing passwords hashes, impersonating users, and attacking the internal infrastructure of the victim organization.
- All organizations that updated MISP to a patched version were secured against those threats posed by discovered vulnerabilities
CIRCL has recognized our support and help in making MISP more secure:
“Mr. Dawid Czarnecki contributed in the field of security review, audit and vulnerability assessment of the MISP code base. He contributed a significant number of reports and found vulnerabilities in the MISP software. ”
– Alexandre Dulaunoy, CIRCL Head of Department
Is this article helpful to you? Share it with your friends.
Would you like to see how we can secure a similar application in your company?
Our expert will ask you about your application and see if we can help improve its security.