CVE-2022-27245
📋 TL;DR
CVE-2022-27245 is a Server-Side Request Forgery (SSRF) vulnerability in MISP (Malware Information Sharing Platform) that allows attackers to make unauthorized requests from the vulnerable server to internal or external systems. This affects MISP instances where the generateServerSettings function is accessible via web interface instead of being restricted to CLI only. All MISP administrators running vulnerable versions are affected.
💻 Affected Systems
- MISP (Malware Information Sharing Platform)
📦 What is this software?
Misp by Misp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot through the vulnerable MISP server to access internal systems, steal credentials, perform port scanning, or interact with cloud metadata services to escalate privileges.
Likely Case
Attackers scan internal networks, access internal web applications, or interact with cloud metadata APIs to gather information for further attacks.
If Mitigated
Limited information disclosure or failed exploitation attempts if network segmentation and proper access controls are implemented.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited and this one requires no authentication. The GitHub commit shows the exact vulnerable code path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.156 and later
Vendor Advisory: https://github.com/MISP/MISP/commit/8dcf414340c5ddedfebbc972601646d38e1d0717
Restart Required: Yes
Instructions:
1. Backup your MISP instance and database. 2. Update MISP to version 2.4.156 or later using git: 'git pull origin 2.4'. 3. Run the update script: 'sudo -u www-data bash /var/www/MISP/app/Console/cake Admin updateMISP'. 4. Restart your web server (Apache/Nginx). 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict access to vulnerable endpoint
allUse web server configuration to block access to the generateServerSettings endpoint
# For Apache: add to .htaccess or virtual host config
<Location "/servers/generateServerSettings">
Order deny,allow
Deny from all
</Location>
# For Nginx: add to server block
location /servers/generateServerSettings {
deny all;
return 403;
}
Network segmentation
linuxIsolate MISP server from internal networks and restrict outbound connections
# Example iptables rules to restrict outbound from MISP
sudo iptables -A OUTPUT -p tcp --dport 80 -j DROP
sudo iptables -A OUTPUT -p tcp --dport 443 -j DROP
sudo iptables -A OUTPUT -p tcp --dport 22 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to prevent MISP server from accessing internal systems
- Deploy a Web Application Firewall (WAF) with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check if you can access /servers/generateServerSettings via web browser or curl without CLI access. Also check MISP version.Check Version:
cd /var/www/MISP && git describe --tags 2>/dev/null || echo "Check MISP web interface footer for version"Verify Fix Applied:
Attempt to access /servers/generateServerSettings via web interface - should return 403 or be inaccessible. Verify version is 2.4.156+.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /servers/generateServerSettings endpoint
- Unusual outbound connections from MISP server to internal IPs
- Failed authentication attempts followed by SSRF attempts
Network Indicators:
- MISP server making unexpected HTTP requests to internal services
- Requests to cloud metadata endpoints (169.254.169.254, etc.) from MISP
SIEM Query:
source="misp_access.log" AND (uri_path="/servers/generateServerSettings" OR user_agent="curl" OR user_agent="wget")