External risk intelligence

MISP Lacks ACL Check Leading to Critical Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2020-29006

MISP is a web-based threat intelligence platform often deployed as an internet-facing application to facilitate collaborative data exchange between organizations. Its architecture relies on web interfaces and API endpoints designed for external connectivity, making instances frequently reachable from the public internet.

Misp Project Misp

before 2.4.135

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability was discovered in the MISP threat intelligence platform that could allow unauthorized access and manipulation of sensitive data. This issue stems from a missing access control check in specific components of the application, which, if exploited, could have significant implications for data confidentiality and integrity. Understanding the relevance and exposure of this platform within your environment is the primary concern.

  • Missing access check on core data features.
  • Protects shared threat intelligence data.
  • Confirm MISP relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could reach a vulnerable instance of MISP over the network and trigger a flaw in how the application checks user permissions. This could allow them to access or modify sensitive threat intelligence data.

  • No authentication required to access.
  • Accessing specific application features triggers the flaw.
  • Leads to unauthorized data access and modification.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthorized access to sensitive threat intelligence data and system configurations within MISP when it is exposed to a network. The absence of an access control check in specific controller and model files could potentially enable unauthenticated users to view or modify critical information.

  • Sensitive threat intelligence data at risk.
  • Unauthorized network access could expose data.
  • Data theft or unauthorized modification possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

The MISP platform, commonly deployed as an internet-facing threat intelligence application, is susceptible to this critical vulnerability. Ownership typically falls to the security team managing the MISP instance, with potential coordination required from application or infrastructure teams. The immediate first step is to confirm the presence and accessibility of MISP, identify the accountable owner, and then prioritize remediation based on the platform's criticality and exposure.

  • Confirm MISP deployment and owner.
  • Verify accessibility and business criticality.
  • Plan remediation or temporary risk reduction.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the MISP platform?

MISP is an open-source threat intelligence platform used by organizations to share and collaborate on cyber security incidents. It acts as a centralized database for storing structured threat data, such as indicators of compromise, which are exchanged between security teams to improve defense against potential attacks.

What does CVE-2020-29006 mean by a missing ACL check?

This vulnerability is classified as CWE-862, or Missing Authorization. It means the software fails to verify if a user has the proper permissions before performing an action. In this case, the application does not check if someone is authorized to access specific Galaxy elements, which are components used to organize and categorize threat intelligence data.

How is this vulnerability triggered?

An attacker triggers this flaw by interacting with specific controller and model functions within the application over the network. It does not require the attacker to have an existing user account or valid login credentials. Simply accessing the affected interface paths is sufficient to bypass the intended security restrictions and manipulate the underlying data.

Why does Halo Surface Signal flag this as a concern?

Halo Surface Signal identifies MISP instances as likely internet-facing due to their purpose of facilitating collaborative data exchange. Because these platforms are often deployed with web and API interfaces reachable from the public internet to enable broad connectivity, the lack of authentication significantly increases the risk of unauthorized access.

What should I do if I run MISP?

First, verify your current version of MISP to see if it is older than 2.4.135. If it is, identify the team responsible for the instance and assess its network accessibility. Prioritize updating the software to a patched version to restore proper access controls and prevent unauthorized modification of your sensitive threat intelligence data.

References