External risk intelligence

MISP Password Change Vulnerability CVE-2021-25323

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2021-25323

MISP is commonly deployed as a centralized web-based threat intelligence sharing platform. As a web application designed for collaborative sharing of sensitive data, it is frequently exposed as an internet-facing service or at the edge of organizational networks to facilitate connectivity between different entities and threat intelligence feeds.

Misp Project Misp

2.4.136

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves a security misconfiguration in the MISP threat intelligence platform where password change requirements were not enabled by default. This could allow unauthorized access to sensitive threat intelligence data if an attacker can compromise a user's account. The main concern is confirming relevance and exposure.

  • Weak password controls pose a data access risk.
  • MISP platforms handle sensitive threat intelligence.
  • Confirm if MISP is in use and its exposure.

Attack Path

How an attacker could exploit the issue

An attacker could target users of the MISP threat intelligence platform by exploiting a vulnerability in its password change functionality. This flaw allows an unauthenticated attacker to potentially reset any user's password without knowing the current one, leading to account takeover and unauthorized access to sensitive threat intelligence data.

  • Unauthenticated access to the platform is required.
  • A password change request triggers the vulnerability.
  • Account takeover and data theft are possible.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to change any user's password without prior authentication, potentially leading to unauthorized access to sensitive threat intelligence data. This is possible when the `require_password_confirmation` setting is not enabled, which was the default in the affected version.

  • User account credentials could be at risk.
  • Attackers could change passwords without prior authentication.
  • Unauthorized access to sensitive data may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

Security and infrastructure teams are likely responsible for addressing this vulnerability in MISP, as it's a web-based threat intelligence platform often exposed externally. The immediate first step is to locate all instances of the affected technology, confirm its accessibility and business criticality, identify the accountable owner, and then prioritize remediation based on the potential risk.

  • Platform/Application owners should prioritize addressing this.
  • Verify if password change functionality is used.
  • Plan configuration update or vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MISP?

MISP is an open-source, web-based platform used by security teams to store, correlate, and share threat intelligence. Organizations deploy it to collaborate on identifying cyber threats, managing indicators of compromise, and automating the exchange of security data across different networks and partners.

What does CVE-2021-25323 mean for password security?

This vulnerability is classified as CWE-640, or a failure to require a current password during a password change. In the affected version, the system did not enforce a verification step that typically confirms the user knows their existing password, making it easier for an unauthorized party to change credentials.

How does an attacker trigger this vulnerability?

An attacker initiates this by targeting the password change function of the platform. The flaw specifically exists because the require_password_confirmation security setting was disabled by default. Importantly, the bug is not triggered by standard login attempts or active sessions, but rather by the specific request to modify an account's password without providing the previous one.

How do I know if my MISP instance is relevant to this threat?

According to Halo Surface Signal, MISP is frequently deployed as an internet-facing service to facilitate data sharing between entities. If your instance is accessible from the public internet, it faces a higher degree of risk. You should review your network perimeter to see if the platform is reachable externally or if it is restricted to internal users.

What is the first step to address this CVE?

Your priority is to verify your current configuration settings. Locate the MISP environment and check if the password confirmation requirement is active. If it is disabled, update the configuration to enforce password confirmation immediately. Afterward, confirm which users manage the platform and ensure this security control remains enabled.

References