External risk intelligence

MISP Audit Log ACL Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2023-50918

MISP (Malware Information Sharing Platform) is frequently deployed as a web-based application to facilitate threat intelligence sharing between organizations, making it commonly accessible as an internet-facing web service.

Misp Project Misp

before 2.4.182

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical security vulnerability in MISP, a platform used for sharing threat intelligence. The issue stems from how access controls are managed for audit logs, potentially allowing unauthorized access and modification of sensitive security data. The main concern at this time is confirming whether our environment utilizes this technology and is therefore exposed.

  • Log access controls are improperly managed.
  • MISP is used for sharing sensitive threat intelligence.
  • Confirm relevance and exposure to MISP.

Attack Path

How an attacker could exploit the issue

An attacker could reach the audit log feature of MISP without needing any authentication or prior access. By exploiting a flaw in how access controls are handled, an attacker could potentially view, alter, or even delete sensitive audit log information, compromising the integrity of the system's activity records.

  • No authentication required.
  • Accesses audit log feature.
  • Compromises log integrity.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, this vulnerability could allow an unauthenticated attacker to bypass access controls for audit logs. This could lead to unauthorized disclosure of sensitive audit information.

  • Audit log data.
  • Unauthorized access to logs.
  • Disclosure of sensitive information.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in MISP's audit log access controls requires immediate attention from teams managing the MISP platform. The first practical step is to identify all instances of MISP within your environment, determine their exposure and business criticality, and confirm the accountable owner for each deployment. Subsequent actions should be planned based on this risk assessment, coordinating with the relevant teams to schedule remediation within an appropriate maintenance window.

  • MISP platform owners should lead remediation efforts.
  • Verify MISP instance exposure and business criticality.
  • Plan and execute MISP upgrades or patches.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MISP?

MISP, or the Malware Information Sharing Platform, is an open-source software suite designed to help organizations collect, store, and share indicators of compromise and threat intelligence. Security teams use it to collaborate on detecting and mitigating cyber threats by centralizing security data. It functions as a web-based application that manages complex relationships between different types of threat information.

What does CVE-2023-50918 mean for system security?

This CVE describes a failure in the software's access control logic regarding audit logs. In technical terms, it means the system does not properly enforce permission checks for these logs. Because the application fails to verify who is requesting the data, unauthorized users can interact with records that should be restricted, potentially leading to unauthorized data disclosure or modification.

How does an attacker trigger this vulnerability?

An attacker can trigger this issue by directly accessing the audit log controller within the application without providing any valid login credentials. The vulnerability resides in the software's inability to require authentication for these specific log requests. Simply browsing to the vulnerable path is sufficient; the bug does not require any specific user-level privileges or previous access to the system to manifest.

Is my MISP instance at risk?

According to Halo Surface Signal, MISP is frequently deployed as an internet-facing web service to facilitate external collaboration, which significantly increases the risk profile. If your instance is reachable over the public internet, it is more likely to be exposed to external actors. You should prioritize instances that are accessible beyond your internal network.

What are the first steps to address this issue?

Begin by identifying all running MISP instances within your infrastructure and determining which ones are reachable from the internet. Once you have an inventory, coordinate with the platform owners to verify the current version. Since this vulnerability affects versions before 2.4.182, the primary response is to plan and execute an upgrade to a patched version within your next maintenance window.

References