CVE-2018-12649
📋 TL;DR
This vulnerability allows attackers to bypass brute-force protection on MISP login pages by using PUT HTTP requests instead of POST requests. It affects MISP instances running version 2.4.92, potentially enabling credential stuffing attacks against authentication systems.
💻 Affected Systems
- MISP (Malware Information Sharing Platform)
📦 What is this software?
Misp by Misp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could brute-force administrator credentials, gain full system access, and compromise sensitive threat intelligence data stored in MISP.
Likely Case
Attackers perform credential stuffing attacks to gain unauthorized access to user accounts, potentially accessing sensitive threat intelligence.
If Mitigated
With proper rate limiting and authentication monitoring, impact is limited to failed login attempts being logged.
🎯 Exploit Status
Simple HTTP method manipulation with tools like curl or Burp Suite can exploit this vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.4.92 (specifically commit 6ffacc1e239930e0e8464d0ca16e432e26cf36a9)
Vendor Advisory: https://github.com/MISP/MISP/commit/6ffacc1e239930e0e8464d0ca16e432e26cf36a9
Restart Required: No
Instructions:
1. Update MISP to version after 2.4.92. 2. Apply the specific commit 6ffacc1e239930e0e8464d0ca16e432e26cf36a9. 3. Verify the UsersController.php file includes brute-force protection for both POST and PUT methods.
🔧 Temporary Workarounds
Web Server Method Restriction
linuxConfigure web server to restrict PUT methods on login endpoints
# For Apache: add to .htaccess or virtual host config
<Location "/users/login">
LimitExcept POST {
deny from all
}
</Location>
# For Nginx: add to server block
location /users/login {
limit_except POST {
deny all;
}
}
WAF Rule
allImplement Web Application Firewall rule to block PUT requests to login endpoints
🧯 If You Can't Patch
- Implement network-level rate limiting for all HTTP methods on login endpoints
- Enable detailed authentication logging and monitor for unusual PUT request patterns
🔍 How to Verify
Check if Vulnerable:
Test login endpoint with PUT request containing credentials using curl: curl -X PUT -d 'username=test&password=test' https://misp-instance/users/loginCheck Version:
Check MISP version in web interface or via: grep -i version /var/www/MISP/app/Config/config.phpVerify Fix Applied:
After patching, same PUT request should trigger brute-force protection or be rejected📡 Detection & Monitoring
Log Indicators:
- Multiple PUT requests to /users/login endpoint
- Failed login attempts via PUT method
- Unusual authentication patterns from single IP
Network Indicators:
- PUT requests to login endpoints
- High volume of authentication attempts
SIEM Query:
source="web_logs" AND (uri_path="/users/login" AND http_method="PUT") | stats count by src_ip