CVE-2022-29534
📋 TL;DR
This vulnerability allows attackers to bypass password confirmation requirements in MISP by sending requests with an 'Accept: application/json' header. This affects all MISP instances running versions before 2.4.158. Attackers could potentially modify user settings or perform unauthorized actions that normally require password verification.
💻 Affected Systems
- MISP (Malware Information Sharing Platform)
📦 What is this software?
Misp by Misp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could change administrator passwords, modify critical system settings, or escalate privileges to gain full control of the MISP instance.
Likely Case
Attackers with existing low-privilege access could elevate privileges, modify their own account settings without authorization, or perform unauthorized actions requiring password confirmation.
If Mitigated
With proper network segmentation and access controls, impact is limited to the MISP application itself, preventing lateral movement to other systems.
🎯 Exploit Status
Exploitation requires at least some level of authenticated access to the MISP instance. The vulnerability is well-documented with public proof-of-concept details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.158
Vendor Advisory: https://github.com/MISP/MISP/commit/01120163a6b4d905029d416e7305575df31df8af
Restart Required: No
Instructions:
1. Backup your MISP instance and database. 2. Update MISP to version 2.4.158 or later using git: 'git pull origin 2.4'. 3. Run the update script: 'sudo -u www-data bash /var/www/MISP/app/Console/cake Admin update'. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
WAF Rule for JSON Header Blocking
allConfigure web application firewall to block or alert on requests with 'Accept: application/json' header to password confirmation endpoints.
# Example ModSecurity rule: SecRule REQUEST_HEADERS:Accept "@rx application/json" "id:1001,phase:1,deny,status:403,msg:'Blocking JSON header to password endpoints'"
🧯 If You Can't Patch
- Implement strict network access controls to limit MISP access to authorized users only
- Enable detailed logging and monitoring for password confirmation bypass attempts
🔍 How to Verify
Check if Vulnerable:
Check MISP version: 'cd /var/www/MISP && git log --oneline -1'. If version is earlier than 2.4.158, you are vulnerable.Check Version:
cd /var/www/MISP && git log --oneline -1Verify Fix Applied:
Verify version is 2.4.158 or later: 'cd /var/www/MISP && git log --oneline -1 | grep -q "2.4.158" && echo "Patched" || echo "Vulnerable"'📡 Detection & Monitoring
Log Indicators:
- Multiple failed password confirmation attempts followed by successful actions
- Requests with 'Accept: application/json' header to password confirmation endpoints
- Unusual user privilege changes or account modifications
Network Indicators:
- HTTP requests with 'Accept: application/json' header to /users/changePassword or similar endpoints
- Rapid sequence of authentication-related requests
SIEM Query:
source="misp_logs" AND (uri_path="/users/*" AND http_header="Accept: application/json")🔗 References
- https://github.com/MISP/MISP/commit/01120163a6b4d905029d416e7305575df31df8af
- https://github.com/MISP/MISP/compare/v2.4.157...v2.4.158
- https://zigrin.com/advisories/misp-password-confirmation-can-be-bypassed/
- https://zigrin.com/cakephp-application-cybersecurity-research-the-impact-of-a-php-vulnerability-exploring-the-password-confirmation-bypass-in-misp/
- https://github.com/MISP/MISP/commit/01120163a6b4d905029d416e7305575df31df8af
- https://github.com/MISP/MISP/compare/v2.4.157...v2.4.158
- https://zigrin.com/advisories/misp-password-confirmation-can-be-bypassed/
- https://zigrin.com/cakephp-application-cybersecurity-research-the-impact-of-a-php-vulnerability-exploring-the-password-confirmation-bypass-in-misp/
