CVE-2024-26139
📋 TL;DR
This vulnerability in OpenCTI allows authenticated users with low privileges to escalate their permissions to administrative level through the profile edit functionality. Organizations using vulnerable versions of OpenCTI are affected. Attackers can gain full control over the threat intelligence platform.
💻 Affected Systems
- OpenCTI
📦 What is this software?
Opencti by Citeum
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains administrative privileges, potentially accessing sensitive threat intelligence data, modifying platform configurations, and compromising the entire OpenCTI instance.
Likely Case
Malicious insider or compromised low-privilege account escalates to admin, accesses confidential threat intelligence, and manipulates platform data.
If Mitigated
Proper access controls prevent privilege escalation, limiting impact to authorized user actions only.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.6 and later
Vendor Advisory: https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-qx4j-f4f2-vjw9
Restart Required: Yes
Instructions:
1. Backup your OpenCTI instance and database. 2. Update to OpenCTI version 6.1.6 or later. 3. Restart the OpenCTI service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Temporary Access Restriction
allRestrict access to profile edit functionality or implement additional authorization checks
# Modify OpenCTI configuration to add additional authorization middleware
# Implement role-based access control checks for profile endpoints
🧯 If You Can't Patch
- Implement strict network segmentation and limit OpenCTI access to authorized users only
- Monitor user privilege changes and implement alerting for suspicious permission escalations
🔍 How to Verify
Check if Vulnerable:
Check OpenCTI version via web interface or API. If version is below 6.1.6, it is vulnerable.Check Version:
curl -X GET 'http://opencti-instance/api/version'Verify Fix Applied:
After updating, verify version is 6.1.6 or higher and test that low-privilege users cannot modify their permissions.📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events
- User role changes from low to high privilege
- Multiple failed authorization attempts followed by successful privilege modification
Network Indicators:
- Unusual API calls to user profile endpoints from low-privilege accounts
- POST requests to permission modification endpoints
SIEM Query:
source="opencti" AND (event_type="user_role_change" OR message="permission escalation")