External risk intelligence

MISP PHAR Deserialization Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2022-29528

MISP (Malware Information Sharing Platform) is designed as a web-based platform for information sharing, which is commonly deployed as an internet-facing or inter-organizational web application to facilitate collaboration, making it a likely candidate for public or wide-area network exposure.

Deserialization

Misp Project Misp

before 2.4.158

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in the MISP platform, a tool used for sharing threat intelligence. The issue involves PHAR deserialization, which could allow unauthorized parties to compromise the system if exploited. The primary concern at this stage is to confirm if your organization utilizes this specific technology and if it is exposed in a way that could be targeted.

  • Threat intelligence sharing platform vulnerable.
  • Critical flaw allows unauthorized system compromise.
  • Confirm relevance and exposure for security posture.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted file to an unpatched MISP instance. This could lead to the execution of arbitrary code on the server, allowing the attacker to compromise the system.

  • No authentication or special access needed.
  • Triggered by PHAR deserialization.
  • Allows remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary code on the server when specific conditions are met, potentially affecting the integrity and availability of the MISP instance.

  • Server-side code execution.
  • Via PHAR deserialization.
  • Compromised server or data.

Operational Fix

Recommended remediation, mitigation, and detection steps

MISP instances, likely managed by security or platform teams, require initial assessment to determine exposure and criticality. The first practical step involves identifying all deployed instances, verifying network reachability, confirming business criticality, and locating the accountable owner to prioritize remediation efforts.

  • Security or platform teams should own.
  • Verify instance reachability and criticality first.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MISP?

MISP, or the Malware Information Sharing Platform, is a specialized, open-source software suite designed to help organizations collect, store, and distribute technical indicators of compromise. Security professionals use it to automate the exchange of threat intelligence data between different companies, researchers, and government entities to improve collective defense against active cyber threats.

What does PHAR deserialization mean for CVE-2022-29528?

This vulnerability is classified as CWE-502, which concerns insecure deserialization. In plain terms, the software incorrectly processes untrusted data formatted as a PHAR (PHP Archive) file. Because the application blindly trusts the structure of these files, an attacker can manipulate the data to trick the server into performing unauthorized actions or executing unintended code on the underlying system.

How is this vulnerability triggered?

The issue is triggered when an unpatched MISP instance processes a specially crafted file containing malicious instructions. An attacker does not need prior authentication or specific system access to initiate this process. Importantly, the flaw is not triggered by simple network connectivity alone; the server must be engaged in a way that forces it to handle or deserialize the malicious PHAR file input.

Do I need to worry about this vulnerability?

You should prioritize this if you manage MISP instances. Halo Surface Signal identifies MISP as a web-based platform often deployed as an internet-facing or inter-organizational tool for collaboration, which significantly increases the potential reach of an attacker. If your instance is accessible over a wide-area network or the public internet, the likelihood of it being reachable by unauthorized parties is notably higher.

When should I start addressing this issue?

You should begin by cataloging all your active MISP deployments to determine which are running versions prior to 2.4.158. Once you have identified these instances, assess their network exposure and business criticality. Engage with the platform owners immediately to confirm these details so your team can schedule the necessary software updates to secure the environment.

References