Login Sign Up

CVE-2023-50918

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2023-50918 is an access control vulnerability in MISP's audit logs controller that allows unauthorized users to view audit logs. This affects all MISP instances running versions before 2.4.182. The vulnerability bypasses proper ACL checks, potentially exposing sensitive audit trail information.

💻 Affected Systems

Products:
  • MISP (Malware Information Sharing Platform)
Versions: All versions before 2.4.182
Operating Systems: All platforms running MISP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all MISP deployments regardless of configuration.

📦 What is this software?

Misp by Misp

View all CVEs affecting Misp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users gain access to audit logs containing sensitive system activity, user actions, and security events, potentially enabling reconnaissance for further attacks.

🟠

Likely Case

Internal users with limited privileges can view audit logs they shouldn't have access to, violating the principle of least privilege and potentially exposing sensitive operational information.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to authorized users gaining access to logs they shouldn't see, but no system compromise occurs.

🌐 Internet-Facing: HIGH if MISP instance is internet-facing, as attackers could potentially access audit logs without authentication.
🏢 Internal Only: MEDIUM as it still violates access controls but requires some level of internal access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the MISP web interface but bypasses ACL checks. No authentication bypass is required beyond having any valid user account.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.182

Vendor Advisory: https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1

Restart Required: Yes

Instructions:

1. Backup your MISP instance and database. 2. Update MISP to version 2.4.182 or later using git: 'git pull' in MISP directory. 3. Run update scripts: 'sudo -u www-data /var/www/MISP/app/Console/cake Admin update'. 4. Restart web server: 'sudo systemctl restart apache2' (or your web server).

🔧 Temporary Workarounds

Restrict access to audit logs

linux

Temporarily restrict all access to audit logs functionality via web server configuration or application firewall.

# Example Apache config to block /auditlogs path
<Location "/auditlogs">
    Require all denied
</Location>

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can access the MISP web interface
  • Review and minimize user accounts with access to MISP, ensuring only necessary personnel have accounts

🔍 How to Verify

Check if Vulnerable:

Check MISP version: 'cd /var/www/MISP && git describe --tags' or view version in web interface footer. If version is below 2.4.182, you are vulnerable.

Check Version:

cd /var/www/MISP && git describe --tags 2>/dev/null || grep -i version app/Config/config.php

Verify Fix Applied:

After patching, verify version is 2.4.182 or higher. Test audit log access with different user roles to ensure proper ACL enforcement.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to audit logs endpoint
  • Users accessing audit logs without proper permissions in application logs

Network Indicators:

  • HTTP requests to /auditlogs endpoint from unauthorized IPs or users

SIEM Query:

source="misp_logs" AND (uri_path="/auditlogs" OR endpoint="AuditLogs") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2023-50918
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 15, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON