CVE-2023-37306 – CVE-2023-37306 is an information disclosure vul... (How to Fix)

Q: What is the severity of CVE-2023-37306?

CVE-2023-37306 has a CVSS score of 7.5 (HIGH). CVE-2023-37306 is an information disclosure vulnerability in MISP (Malware Information Sharing Platform) where improper handling of certificate file extensions during server synchronization leaks sensitive information through error messages. Attackers can exploit this to read arbitrary files from the server. Organizations running vulnerable MISP instances are affected.

📋 TL;DR

CVE-2023-37306 is an information disclosure vulnerability in MISP (Malware Information Sharing Platform) where improper handling of certificate file extensions during server synchronization leaks sensitive information through error messages. Attackers can exploit this to read arbitrary files from the server. Organizations running vulnerable MISP instances are affected.

💻 Affected Systems

Products:

MISP (Malware Information Sharing Platform)

Versions: 2.4.172 and earlier versions

Operating Systems: All platforms running MISP

Default Config Vulnerable: ⚠️ Yes

Notes: All MISP instances with server synchronization enabled are vulnerable. The vulnerability is in the PHP code handling certificate validation.

📦 What is this software?

Malware Information Sharing Platform by Misp Project

View all CVEs affecting Malware Information Sharing Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can read sensitive server files including configuration files, private keys, and database credentials, potentially leading to full system compromise.

🟠

Likely Case

Attackers extract configuration files containing API keys, database credentials, or other sensitive operational data.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the MISP application server only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the ability to trigger server sync operations. The vulnerability leverages PHP filter chains to read files through error messages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.173 and later

Vendor Advisory: https://github.com/MISP/MISP/commit/f125630c1c2d0f5d11079d3653ab7bb2ab5cd908

Restart Required: No

Instructions:

1. Update MISP to version 2.4.173 or later. 2. Run the update script: cd /var/www/MISP && git pull. 3. Update dependencies: cd /var/www/MISP/app && php composer.phar update. 4. Clear caches if necessary.

🔧 Temporary Workarounds

Disable Server Synchronization

all

Temporarily disable MISP server synchronization features to prevent exploitation.

Edit MISP configuration to disable sync features or restrict sync permissions

Restrict Certificate Uploads

all

Implement strict validation on certificate file uploads and extensions.

Configure web server to reject unexpected file extensions in sync requests

🧯 If You Can't Patch

Implement strict network access controls to limit who can initiate server sync operations
Monitor and alert on unusual file read attempts through MISP sync logs

🔍 How to Verify

Check if Vulnerable:

Check MISP version: grep -i version /var/www/MISP/VERSION.json or via web interface. If version is 2.4.172 or earlier, system is vulnerable.

Check Version:

cat /var/www/MISP/VERSION.json | grep version

Verify Fix Applied:

Verify version is 2.4.173 or later and test that certificate validation properly rejects invalid file extensions.

📡 Detection & Monitoring

Log Indicators:

Error messages containing file paths in MISP logs
Unusual certificate validation failures in sync logs
Multiple failed sync attempts with unusual file extensions

Network Indicators:

Unusual outbound file transfers from MISP server
Suspicious sync requests to/from unauthorized IPs

SIEM Query:

source="misp.log" AND ("certificate" OR "sync") AND ("error" OR "failed") AND ("file" OR "path")

📊 Metadata

CVE ID: CVE-2023-37306

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-209

Published: June 30, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/MISP/MISP/commit/f125630c1c2d0f5d11079d3653ab7bb2ab5cd908 Patch
https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle Exploit,Third Party Advisory
https://github.com/MISP/MISP/commit/f125630c1c2d0f5d11079d3653ab7bb2ab5cd908 Patch
https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37306, you might also want to check these: