External risk intelligence

MISP SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2021-39302

MISP (Malware Information Sharing Platform) is designed as a collaborative, network-accessible web application for sharing threat intelligence. It is typically deployed as a web-based service intended to be reachable by authorized remote users or peer instances over a network, making it a common internet-facing or edge-reachable web application.

SQL Injection

Misp Project Misp

2.4.148

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in MISP, a platform for sharing threat intelligence, could allow unauthorized attackers to inject malicious code and potentially compromise systems. While specific impact details are not provided, the nature of this vulnerability, a SQL injection flaw, means that if MISP is deployed in a way that exposes it to the network, there is a risk of data tampering or unauthorized access.

  • Code injection vulnerability in threat intelligence sharing.
  • Critical flaw could expose sensitive organizational data.
  • Confirm MISP relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit a vulnerability in certain MISP configurations by sending specially crafted input to the logging feature. This input, when processed by the `app/Model/Log.php` file, could allow the attacker to inject malicious SQL commands. Successful exploitation could lead to unauthorized access to and modification of data within the MISP instance.

  • No authentication required for access.
  • Vulnerable to SQL injection via log conditions.
  • Allows data manipulation and unauthorized access.

Live Threat

Current exploitation, exposure, and threat context

When MISP is deployed with specific configurations, an attacker could inject malicious SQL code into the 'org' parameter of the Log model, potentially compromising the integrity and confidentiality of the system. This vulnerability could allow an attacker to manipulate or access sensitive data within the MISP application.

  • Database integrity and confidentiality at risk.
  • SQL injection via a network-accessible parameter.
  • Unauthorized data access or modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

This SQL injection vulnerability in MISP could impact organizations that deploy it as a web-based service for threat intelligence sharing. Action should be initiated by the team managing the MISP application, likely the platform or security operations team, to identify all instances. The immediate priority is to confirm the presence and reachability of affected MISP deployments, determine their business criticality, and assign an owner for remediation planning based on this risk assessment.

  • Identify MISP instances and assess criticality.
  • Confirm ownership of affected MISP deployments.
  • Plan remediation based on identified risks.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MISP?

MISP, or the Malware Information Sharing Platform, is an open-source software suite used by security teams to store, correlate, and share threat intelligence. Organizations use it to track indicators of compromise and collaborate on cyber threat analysis within trusted communities. It functions as a web-based application that manages complex relationships between different data points, such as IP addresses, file hashes, and specific organizational entities.

What does CWE-89 mean for CVE-2021-39302?

CVE-2021-39302 is classified as CWE-89, which is the weakness identifier for SQL injection. This means the application does not properly sanitize or filter user-supplied data before including it in database queries. Because of this flaw in the log management component, an attacker can input specially crafted SQL commands that the database interprets as legitimate instructions, allowing them to bypass security controls and interact directly with the underlying data store.

How can an attacker trigger this MISP vulnerability?

An attacker triggers this vulnerability by sending malicious, specially crafted input to the log-handling feature within the affected MISP version. Specifically, the flaw resides in the 'org' parameter processed by the application's logging model. Note that this issue is tied to specific configurations; it does not occur when the application effectively sanitizes input parameters before they reach the database query layer.

Why does Halo Surface Signal flag this as an external risk?

Halo Surface Signal identifies MISP as a platform designed for collaborative, network-accessible intelligence sharing. Because the software is intended to be reachable by remote users or peer instances, it is commonly deployed as an internet-facing or edge-reachable web service. This network positioning increases the potential for unauthorized external actors to reach the vulnerable component.

What should I do if I manage a MISP instance?

Your first step is to identify all running instances of MISP and confirm their version numbers to see if they match the affected configuration. Once identified, evaluate the network accessibility of these instances to understand their current exposure. Coordinate with your team to review official guidance for applying available patches or configuration changes, and prioritize remediation based on the business importance of the data stored in each specific deployment.

References