External risk intelligence

MISP Order Parameter Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2022-48329

MISP (Malware Information Sharing Platform) is designed as a collaborative, web-based platform for threat intelligence sharing. It is frequently deployed as a network-accessible web application to allow organizations to exchange data with external partners, making its web interface a common internet-facing service.

Misp Project Misp

before 2.4.166

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in MISP, a platform used for threat intelligence sharing. The issue, related to how user input is handled, could allow unauthorized access and modification of information if exploited. The primary concern is to confirm if our deployment is affected and understand its exposure.

  • Allows unauthorized data access and modification.
  • Critical issue in threat intelligence sharing platform.
  • Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could reach the vulnerable component of MISP through its network interface without needing any special access. By manipulating the `order` parameter in specific requests, they could interact with vulnerable model files, potentially leading to significant data compromise and system disruption. This vulnerability allows for unauthorized actions that could affect the confidentiality, integrity, and availability of the system.

  • No authentication or special access required.
  • Exploited via manipulation of the `order` parameter.
  • Leads to critical data and system compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could affect the integrity and availability of the MISP platform, potentially impacting the accuracy and usability of shared threat intelligence data. When supported by the advisory, an attacker could leverage this flaw to manipulate data sorting, which might lead to unexpected system behavior or compromise the integrity of information within the platform.

  • Threat intelligence data integrity.
  • Unauthenticated network access to manipulate data.
  • Disruption of threat intelligence sharing.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in MISP affects all users due to its network exploitability and lack of authentication requirements. The first practical step is to identify all MISP instances, confirm their reachability and business criticality, and then engage the platform or application owners to plan remediation.

  • Platform owners should manage the issue.
  • Verify external accessibility and impact.
  • Coordinate vendor update or mitigation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the MISP platform?

MISP, or Malware Information Sharing Platform, is a specialized, open-source software suite used by security teams to store, correlate, and distribute technical indicators of compromise. Organizations deploy it as a web-based hub to facilitate real-time collaboration with partners and internal teams, ensuring that intelligence regarding potential threats is exchanged securely and efficiently across distributed network environments.

How does CVE-2022-48329 impact MISP?

This vulnerability is classified as CWE-755, which refers to improper handling of exceptional conditions. In the context of CVE-2022-48329, the software fails to safely process input provided through the 'order' parameter. Because this parameter is used across core system models, failing to validate it correctly allows unauthorized users to manipulate data queries, potentially leading to unauthorized system actions or compromise of the platform's core functions.

Does any specific action trigger this vulnerability?

The flaw is triggered by sending specially crafted web requests that manipulate the 'order' parameter. Because the vulnerability exists within the application's input processing logic, it does not require an attacker to have a valid user account or special administrative privileges to attempt exploitation. Simply accessing the network-facing interface is sufficient; the vulnerability is not triggered by standard, legitimate navigation of the interface.

Is my MISP instance at risk?

Halo Surface Signal indicates that because MISP is typically deployed as a web-accessible service to support external collaboration, many instances are inherently internet-facing. This exposure increases the relevance of this vulnerability, as any system accessible over the network without a patch is reachable by an attacker. Organizations using versions prior to 2.4.166 should prioritize verifying their network accessibility.

What steps should I take if I run MISP?

Begin by auditing your environment to locate all active MISP installations and verify their specific version numbers. If you are running any version older than 2.4.166, you are using an affected release. Coordinate with your application administrators to schedule an update to the latest patched version, as this is the primary method to resolve the underlying input handling weakness.

References