February 20, 2023
Critical SQL injection vulnerabilities in MISP (fixed in v2.4.166 and v2.4.167)
As of the past 2 months, we’ve received two separate reports of two unrelated SQLi vector vulnerabilities in MISP that can lead to any authenticated user being able to execute arbitrary SQL queries in MISP.
We consider this to be a critical vulnerability and chose to follow a silent fix procedure working with the reporters. We normally only do this in extreme cases where we want to ensure that the community has plenty of time to update once the vulnerability is patched and before we would publicly announce it. We also wanted to make sure that we have a way to urge the community to update, so we have been elevating the criticality of other minor vulnerabilities that were reported in the same time-frame.
The method we chose for the fix was simple:
- fix the vulnerability, disguise it as a refactor / minor fix
- fix another security issue/vulnerability that is unrelated
- release a critical bug fix, overplaying the importance of the minor secondary issues resolved
- blogging / tweeting / tooting / contacting groups / organisations to upgrade on the basis of the latter
The two SQLi vulnerabilities in question were as follows.
1. Vulnerability in the order parameter used in several indexes
As reported by Jakub Onderka. Besides being the hero that we all know him to be for bringing the code base up to snuff, he also found one of the most obnoxious vulnerabilities with this one that shows our misunderstanding of a standard framework function’s provided protections. Kudos to him for finding it!
Basically, we allowed users to provide custom field ordering for certain endpoints such as RestSearch. These were set using url parameters in the format of /order:field_name. However, contrary to our belief, the “order” parameter of the CakePHP find() function is not SQLi safe and thus we’ve introduced field allow-listing for any occurrence of custom order fields. Any sorting relying on /sort:field_name/direction:asc|desc is unaffected and safe.
2022/11/25 by Jakub Onderka
2022/11/28 - release version: v2.4.166
CVE ID: CVE-2022-48329
2. Vulnerability in the search parameters of any index using the CRUD component
As reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourgish army. Dawid has been reporting findings continuously for a long period of time now, with Zigrin Security developing their own tooling for detecting vulnerabilities that we quite frankly would never have caught ourselves.
Massive thanks to Dawid and his team!
The CRUD component would allow for custom search parameters to be passed - and whilst the lookup values are SQLi safe and properly sanitised, the field names themselves are not. With some clever forged requests, these can be abused. We have moved to allow-listing these field names.
2022/12/12 by Dawid Czarnecki
2022/12/22 - release version: v2.4.167
CVE ID: CVE-2022-48328
General note on software vulnerabilities
As always, we always welcome and highly encourage MISP users to run their own vulnerability assessments, code review and penetrating testing of MISP codebase and to let us know about the outcomes so that we can make MISP as secure as it can be. Thanks again to all that have reported vulnerabilities in the past.
For information on how to submit your findings, please refer to https://misp-project.org/security/