External risk intelligence

MISP Insecure Logo Upload Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2024-25674

MISP is typically deployed as a web-based threat intelligence platform. Features such as organization logo management are accessible via the web interface, which is commonly exposed to the internet or reachable across organizational networks to facilitate collaborative threat data sharing.

Unrestricted File Upload

Misp Project Misp

before 2.4.184

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

An issue has been identified in the MISP threat intelligence platform that could allow unauthorized file uploads due to inadequate checks on file types. This vulnerability could potentially be exploited to upload malicious files, impacting the integrity and security of the platform. The primary concern at this stage is to confirm if your instance is affected and to understand the potential exposure.

  • Insecure file uploads in threat intelligence platform.
  • Protects against unauthorized file execution risks.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by uploading a malicious file disguised as an organization logo. Because the system does not adequately check the file's type and extension, an attacker could upload a file that, when accessed, could lead to significant compromise of the system.

  • Unauthenticated access to the web interface.
  • Uploading a file with an improper extension.
  • Arbitrary code execution and data compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to upload and execute arbitrary files through the organization logo upload functionality when unsupported by the advisory. This could impact the availability and integrity of the MISP system.

  • System integrity and availability.
  • Upload of malicious files via logo feature.
  • System compromise and data manipulation.

Operational Fix

Recommended remediation, mitigation, and detection steps

The MISP platform's application owners or the security team are likely responsible for addressing this vulnerability due to insecure file uploads. The first practical step is to identify all instances of the affected MISP deployment, confirm their accessibility and business criticality, and then determine the accountable owner to plan remediation.

  • Application owners should manage the issue.
  • Verify logo upload functionality and reachability.
  • Plan for vendor coordination and update.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MISP?

MISP (Malware Information Sharing Platform) is an open-source software suite designed for the collaborative exchange of threat intelligence. Organizations use it to collect, correlate, and share indicators of compromise and other security-related data, helping security teams automate their defenses and respond more effectively to cyber threats.

How does CVE-2024-25674 work?

This vulnerability is classified as CWE-434, which refers to Unrestricted Upload of File with Dangerous Type. In affected MISP versions, the platform fails to properly validate the file extension or MIME type when a user uploads an organization logo. Because the system does not check the file's actual content or format, it may inadvertently allow an attacker to store malicious files on the server.

What triggers this file upload bug?

An attacker triggers this vulnerability by interacting with the organization logo upload feature. The bug is specifically tied to the lack of input validation for these uploads. It is important to note that simply visiting the platform or viewing existing content does not trigger the vulnerability; it requires a successful attempt to upload a file with an improper or malicious extension.

Is my MISP instance at risk?

According to Halo Surface Signal, risk depends on how your MISP deployment is configured and shared. Because MISP is a collaborative tool, it is often web-facing to facilitate data sharing with other organizations. If your interface is reachable over the internet or widely accessible across your internal network, it is more likely to be an attractive target for this type of unauthorized file upload.

What should I do to address this CVE?

First, verify which version of MISP you are currently running to see if it falls within the affected range. Identify all deployments in your environment and determine their business criticality. Coordinate with your application owners to prioritize upgrading to a patched version, as the most effective path forward is to ensure your software is updated beyond the vulnerable baseline identified by the project.

References