CVE-2024-25674
📋 TL;DR
This vulnerability in MISP allows attackers to upload malicious files disguised as organization logos due to insufficient file extension and MIME type validation. Attackers could execute arbitrary code on the server, affecting all MISP instances running vulnerable versions. Organizations using MISP for threat intelligence sharing are at risk.
💻 Affected Systems
- MISP (Malware Information Sharing Platform)
📦 What is this software?
Misp by Misp
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
File upload leading to web shell deployment, data exfiltration, or denial of service.
If Mitigated
Limited impact with proper file validation and restricted upload permissions.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.184
Vendor Advisory: https://github.com/MISP/MISP/commit/312d2d5422235235ddd211dcb6bb5bb09c07791f
Restart Required: Yes
Instructions:
1. Backup your MISP instance and database. 2. Update MISP to version 2.4.184 or later using git pull or package manager. 3. Restart the web server and MISP workers. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Disable organization logo upload
allTemporarily disable the organization logo upload feature to prevent exploitation.
Edit MISP configuration to remove logo upload functionality or restrict access to admin users only.
Implement web application firewall rules
allBlock malicious file uploads at the WAF level.
Configure WAF to block uploads with suspicious file extensions or MIME types.
🧯 If You Can't Patch
- Restrict access to organization management features to trusted administrators only.
- Implement strict file validation at the application or reverse proxy level.
🔍 How to Verify
Check if Vulnerable:
Check if MISP version is below 2.4.184 by accessing the web interface or checking configuration files.Check Version:
Check MISP web interface dashboard or run: grep -i version /var/www/MISP/app/Config/config.phpVerify Fix Applied:
Confirm MISP version is 2.4.184 or higher and test logo upload with malicious files to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to organization logo endpoint
- Failed upload attempts with suspicious file types
- Unexpected process execution from web server
Network Indicators:
- HTTP POST requests to /organisations/uploadLogo with unusual file extensions
- Outbound connections from MISP server to unknown IPs
SIEM Query:
source="misp_logs" AND (url_path="/organisations/uploadLogo" AND (file_extension="php" OR file_extension="exe"))