CVE-2024-29858
📋 TL;DR
This vulnerability in MISP (Malware Information Sharing Platform) allows attackers to upload malicious files through the logo upload functionality. It affects all MISP instances running versions before 2.4.187. The improper validation could lead to remote code execution or server compromise.
💻 Affected Systems
- MISP (Malware Information Sharing Platform)
📦 What is this software?
Misp by Misp
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
File upload leading to web shell deployment, allowing attackers to execute arbitrary commands on the server.
If Mitigated
Limited impact if proper file validation and web application firewalls are in place, potentially only causing denial of service.
🎯 Exploit Status
Exploitation requires access to the logo upload functionality, which typically requires authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.187
Vendor Advisory: https://github.com/MISP/MISP/commit/6a2986be6aad6b37858b4869e238f517b295c111
Restart Required: No
Instructions:
1. Backup your MISP instance and database. 2. Update MISP to version 2.4.187 or later using git: 'git pull origin 2.4'. 3. Run the update script: 'sudo -u www-data bash /var/www/MISP/app/Console/cake Admin runUpdates'. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable logo upload functionality
allTemporarily disable the vulnerable logo upload endpoint until patching can be completed.
# Modify app/Controller/OrganisationsController.php to comment out or remove __uploadLogo function
Implement WAF rules
linuxAdd web application firewall rules to block malicious file uploads to the logo endpoint.
# Example ModSecurity rule: SecRule REQUEST_URI "@contains /organisations/uploadLogo" "id:1001,phase:2,deny,status:403"
🧯 If You Can't Patch
- Implement strict file upload validation at the web server level
- Restrict access to the logo upload functionality to trusted administrators only
🔍 How to Verify
Check if Vulnerable:
Check MISP version: 'cd /var/www/MISP && git log --oneline -1'. If version is earlier than 2.4.187, you are vulnerable.Check Version:
cd /var/www/MISP && git log --oneline -1Verify Fix Applied:
Verify version is 2.4.187 or later: 'cd /var/www/MISP && git log --oneline -1 | grep 2.4.187'📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /organisations/uploadLogo endpoint
- Large or unexpected files in upload directories
- Web shell creation in web-accessible directories
Network Indicators:
- POST requests to /organisations/uploadLogo with unusual file types
- Outbound connections from MISP server to unknown IPs
SIEM Query:
source="misp_logs" AND (uri="/organisations/uploadLogo" OR file_upload="true") AND (file_type!="image/png" AND file_type!="image/jpeg")