CVE-2023-48655
📋 TL;DR
This vulnerability in MISP (Malware Information Sharing Platform) allows blind SQL injection through improperly filtered array input parameters. Attackers can exploit this to execute arbitrary SQL queries, potentially leading to data theft, manipulation, or system compromise. All MISP instances running vulnerable versions are affected.
💻 Affected Systems
- MISP (Malware Information Sharing Platform)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data exfiltration, modification, or deletion; potential remote code execution through database functions; full system takeover.
Likely Case
Unauthorized access to sensitive threat intelligence data, user credentials, or system information; data manipulation affecting MISP operations.
If Mitigated
Limited impact due to proper input validation, parameterized queries, and database permissions restricting damage to non-critical data.
🎯 Exploit Status
Exploit requires authenticated access; SQL injection is blind but can be automated; proof-of-concept details available in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.176
Vendor Advisory: https://github.com/MISP/MISP/commit/158c8b2f788b75e0d26e9249a75e1be291e59d4b
Restart Required: Yes
Instructions:
1. Backup your MISP instance and database. 2. Update MISP to version 2.4.176 or later using git: 'git pull origin 2.4'. 3. Run update scripts: 'sudo -u www-data bash /var/www/MISP/app/Console/cake Admin runUpdates'. 4. Restart web server: 'sudo systemctl restart apache2' (or your web server). 5. Verify update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement additional input validation for array parameters in custom code
Not applicable - requires code modification
Web Application Firewall
allDeploy WAF rules to block SQL injection patterns in array parameters
WAF-specific configuration required
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MISP instance from sensitive systems
- Enable detailed SQL query logging and monitor for injection patterns; restrict database user permissions to minimum required
🔍 How to Verify
Check if Vulnerable:
Check MISP version: navigate to Administration -> Server Settings -> Diagnostics in web interface, or check /var/www/MISP/VERSION.json file for version number.Check Version:
cat /var/www/MISP/VERSION.json | grep versionVerify Fix Applied:
Confirm version is 2.4.176 or higher; verify commit 158c8b2f788b75e0d26e9249a75e1be291e59d4b is present in git history.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts followed by parameter manipulation
- Requests with array parameters containing SQL keywords
Network Indicators:
- HTTP POST requests with array parameters containing SQL syntax
- Unusual database connection patterns from web server
SIEM Query:
source="misp_access.log" AND (url="*[\"' OR *" OR param="*[\"' OR *" OR user_agent="*sqlmap*")🔗 References
- https://github.com/MISP/MISP/commit/158c8b2f788b75e0d26e9249a75e1be291e59d4b
- https://github.com/MISP/MISP/compare/v2.4.175...v2.4.176
- https://zigrin.com/advisories/misp-blind-sql-injection-in-array-input-parameters/
- https://github.com/MISP/MISP/commit/158c8b2f788b75e0d26e9249a75e1be291e59d4b
- https://github.com/MISP/MISP/compare/v2.4.175...v2.4.176
- https://zigrin.com/advisories/misp-blind-sql-injection-in-array-input-parameters/
