CVE-2022-29528 – CVE-2022-29528 is a PHAR deserialization vulner... (How to Fix)

Q: What is the severity of CVE-2022-29528?

CVE-2022-29528 has a CVSS score of 9.8 (CRITICAL). CVE-2022-29528 is a PHAR deserialization vulnerability in MISP (Malware Information Sharing Platform) that allows attackers to execute arbitrary code on affected systems. This affects all MISP instances running versions before 2.4.158. The vulnerability stems from improper handling of PHAR archives that can trigger deserialization of untrusted data.

📋 TL;DR

CVE-2022-29528 is a PHAR deserialization vulnerability in MISP (Malware Information Sharing Platform) that allows attackers to execute arbitrary code on affected systems. This affects all MISP instances running versions before 2.4.158. The vulnerability stems from improper handling of PHAR archives that can trigger deserialization of untrusted data.

💻 Affected Systems

Products:

MISP (Malware Information Sharing Platform)

Versions: All versions before 2.4.158

Operating Systems: Linux, Windows, macOS - any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires PHP environment with PHAR support enabled (default in most PHP installations).

📦 What is this software?

Misp by Misp

View all CVEs affecting Misp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to gain shell access, install malware, or manipulate MISP data.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - MISP instances exposed to the internet are directly vulnerable to remote exploitation.

🏢 Internal Only: HIGH - Internal MISP instances remain vulnerable to authenticated or network-accessible attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires file upload capability or ability to control PHAR archive paths. The vulnerability is in the CakePHP framework used by MISP.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.158

Vendor Advisory: https://github.com/MISP/MISP/commit/0108f1bde2117ac5c1e28d124128f60c8bb09a8e

Restart Required: No

Instructions:

1. Backup your MISP instance and database. 2. Update to MISP version 2.4.158 or later. 3. Verify the update by checking the version in the web interface or via command line.

🔧 Temporary Workarounds

Disable PHAR support in PHP

all

Disable PHAR extension to prevent deserialization attacks

php -d phar.readonly=1 -d phar.require_hash=1
Edit php.ini: phar.readonly = On
Edit php.ini: phar.require_hash = On

Restrict file uploads

all

Limit file upload capabilities to trusted users only

🧯 If You Can't Patch

Implement strict network access controls to limit MISP access to trusted IPs only
Deploy web application firewall (WAF) with rules to detect and block PHAR deserialization attempts

🔍 How to Verify

Check if Vulnerable:

Check MISP version via web interface (Admin -> Server Settings -> Diagnostics) or command line: grep 'appversion' /var/www/MISP/app/Config/config.php

Check Version:

grep "'appversion'" /var/www/MISP/app/Config/config.php | cut -d"'" -f4

Verify Fix Applied:

Verify version is 2.4.158 or higher and check that the commits 0108f1bde2117ac5c1e28d124128f60c8bb09a8e and 93821c0de6a7dd32262ce62212773f43136ca66e are present

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads with .phar extensions
PHP errors related to unserialize() or phar:// streams
Unexpected process execution from web user context

Network Indicators:

HTTP requests containing phar:// in parameters
File uploads to MISP endpoints with suspicious content

SIEM Query:

source="misp_logs" AND (phar OR unserialize OR "remote code execution")

📊 Metadata

CVE ID: CVE-2022-29528

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: April 20, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/MISP/MISP/commit/0108f1bde2117ac5c1e28d124128f60c8bb09a8e Patch,Third Party Advisory
https://github.com/MISP/MISP/commit/93821c0de6a7dd32262ce62212773f43136ca66e Patch,Third Party Advisory
https://github.com/MISP/MISP/compare/v2.4.157...v2.4.158 Release Notes,Third Party Advisory
https://zigrin.com/advisories/misp-phar-deserialization/ Third Party Advisory
https://zigrin.com/cakephp-application-cybersecurity-research-exploring-the-phar-deserialization-php-vulnerability-a-white-box-testing-example/ Exploit,Third Party Advisory
https://github.com/MISP/MISP/commit/0108f1bde2117ac5c1e28d124128f60c8bb09a8e Patch,Third Party Advisory
https://github.com/MISP/MISP/commit/93821c0de6a7dd32262ce62212773f43136ca66e Patch,Third Party Advisory
https://github.com/MISP/MISP/compare/v2.4.157...v2.4.158 Release Notes,Third Party Advisory
https://zigrin.com/advisories/misp-phar-deserialization/ Third Party Advisory
https://zigrin.com/cakephp-application-cybersecurity-research-exploring-the-phar-deserialization-php-vulnerability-a-white-box-testing-example/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29528, you might also want to check these: