Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2239
MISP 2.4.12x release security updates
30 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: misp
Publisher: Misp Project
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Read-only Data Access -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-14969 CVE-2020-13153 CVE-2020-10247
CVE-2020-10246 CVE-2020-8894 CVE-2020-8893
CVE-2020-8892 CVE-2020-8891 CVE-2020-8890
Original Bulletin:
https://www.misp-project.org/2020/06/24/MISP.2.4.128.released.html
https://www.misp-project.org/2020/06/04/MISP.2.4.126.released.html
https://www.misp-project.org/2020/03/10/MISP.2.4.123.released.html
https://www.misp-project.org/2020/02/12/MISP.2.4.121.released.html
Comment: This bulletin contains four (4) Misp Project security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
MISP 2.4.128 released (STIX import/export refactored release edition)
https://www.misp-project.org/2020/06/24/MISP.2.4.128.released.html
A new version of MISP (2.4.128) has been released with a significant
refactoring of the STIX import/export along with many improvements and bugs
fixed.
STIX 2 and 1 major refactoring and improvements
A major refactoring of the STIX (version 1 and version 2) import/export has
been performed by Christian Studer. We invite you to read the Changelog for the
complete set of changes and improvements. The most significant change is the
import of threat-actors, tools and alike. As of this version on, the import
process automatically maps the data-points to existing galaxies. As an example,
if a synonym of a threat-actor is found in the original STIX file, the import
process will attach the existing threat-actor from the MISP galaxy library. It
also works with tags.
Security fix
o CVE-2020-14969 <= MISP 2.4.128 - app/Model/Attribute.php in MISP 2.4.127
lacks an ACL lookup on attribute correlations. This occurs when querying
the attribute restsearch API, revealing metadata about a correlating but
unreachable attribute.
New features
o [correlations] Enable CIDR correlations for port and port types
ip-src ip-dst
o [widget] Authentication failure widget added to provide a dashboard from D4
project.
Many other improvements are documented in the complete changelog is available.
Acknowledgement
We would like to thank all the contributors, reporters and users who have
helped us in the past months to improve MISP and information sharing at large.
This release includes multiple updates in misp-objects, misp-taxonomies and
misp-galaxy.
As always, a detailed and complete changelog is available with all the fixes,
changes and improvements.
- ------------------------------------------------------------------------------
MISP 2.4.126 released (Spring release edition)
https://www.misp-project.org/2020/06/04/MISP.2.4.126.released.html
A new version of MISP (2.4.126) has been released a while ago, though we have
forgotten to publish a blog post about it - thanks to @coolacid for the
reminder. This version includes a security fix and various quality of life
improvements.
Security fix - fixed XSS
Fixed a persistent XSS (CVE-2020-13153) that could be triggered by correlating
an attribute via the freetext import tool with an attribute that contains a
javascript payload in the comment field. By hovering over the correlation, the
analyst encoding the information would have the exploit triggered.
Thanks to @JakubOnderka for reporting it!
Tool to generate the communities webpage
Being able to find the right communities is key when utilising MISP. Thanks to
@cvandeplas for implementing this!
experimental CLI only force pull method added
It allows an administrator to issue a special kind of pull via the API that
overwrites the local data with that on the remote, no matter which one is
newer. No additional data gets deleted, but modifications will get reverted to
the remote's state. This tool is meant as a last resort if things have gone
awry with unwanted local modifications.
A host of quality of life fixes
A long list of improvements, fixes and new functionalities have been added,
make sure to check out the changelog for an exhaustive list!
Acknowledgement
We would like to thank all the contributors, reporters and users who have
helped us in the past months to improve MISP and information sharing at large.
This release includes multiple updates in misp-objects, misp-taxonomies and
misp-galaxy.
As always, a detailed and complete changelog is available with all the fixes,
changes and improvements.
- ------------------------------------------------------------------------------
MISP 2.4.123 released (aka the dashboard and security fix release)
https://www.misp-project.org/2020/03/10/MISP.2.4.123.released.html
A new version of MISP (2.4.123) has been released. This version includes
various security related fixed, and a new Dashboard system.
Security fixes
Thanks to a pentest conducted on behalf of the Centre for Cyber Security
Belgium (CCB), we have received a list of ideas to improve our security posture
along with 2 vulnerabilities:
o 2 XSS vulnerabilities (reported and fixed, more info via CVE-2020-10246 and
CVE-2020-10247)
o various improvements for our password policy
o Improvements by adding preventative headers
o Providing the more information to the users by revealing potential foul
play
We would hereby like to thank both the contracted part as well as CCB for
sharing the results with us. We are always glad to receive pentest results,
it's a great way for organisations to improve the security of MISP and we
highly encourage everyone to MISP for potential issues and to let us know - we
will do our best to fix any identified issues as soon as possible.
Dashboard system
As an outcome of the spread of COVID-19, we ourselves at the MISP-project team
have spent a considerable amount of our free time over the past few weeks
tracking the spread of and informing ourselves in regards to the outbreak.
As an outcome of quickly setting up a Coronavirus-sharing community via MISP
for ourselves, in order to share and track information emerging about COVID-19,
we have implemented a whole new Dashboarding functionality for MISP.
The new Dashboard is accessible directly in MISP and fully customisable by
users.
o The system relies on bundled and custom widgets
o widgets work similarly to other modular parts of MISP, design your own,
drop it in the MISP directory to get started
o For instructions on how to develop a basic widget visit The training slide
repository
o Under the hood it uses the user settings system, allowing for custom
configurations per user
o Dashboard templates can be saved and shared, both via MISP and via JSON
configuration files
o Widgets come with a host of support functionalities (ACL, caching,
auto-reloading, configuration systems)
We welcome contributions to our ever growing widget collection from our
community, let us know if you want to get involved in the effort!
If you are interested in the covid-19 specific widgets, they are not included
in the code-base directly, but are rather available via the new
widget-collection library.
Selecting your home page within MISP
Users an now replace their landing page from it redirecting to the event index
to any other page in MISP. We recommend the consideration of switching to the
dashboard as the first point of entry. Simply navigate to the page you wish to
bookmark and click on the little star icon in the header bar.
A bug affecting correlations and an interesting bug hunt
Due to a recently introduced bug, we had cases of correlations disappearing
after an attribute edit under certain conditions (any edit not touching fields
used to decide on whether to correlate an attribute). We have resolved the
issue along with a full recorrelation being triggered on update, simply fetch
the latest version of MISP and your instance should have the issue resolved
once the job finishes.
Acknowledgement
We would like to thank all the contributors, reporters and users who have
helped us in the past months to improve MISP and information sharing at large.
This release includes multiple updates in misp-objects, misp-taxonomies and
misp-galaxy.
As always, a detailed and complete changelog is available with all the fixes,
changes and improvements.
- ------------------------------------------------------------------------------
MISP 2.4.121 released (aka the security release)
https://www.misp-project.org/2020/02/12/MISP.2.4.121.released.html
A new version of MISP (2.4.121) has been released. This version is a security/
bug fix release and users are highly encouraged to update as soon as possible.
Besides that several issues were resolved and some new functionalities were
added.
Security issues
The new version includes fixes to a set of vulnerabilities, kindly reported by
Dawid Czarnecki. For details, see the attached CVE information.
o A reflected XSS in the galaxy view CVE-2020-8893
o ACL wasn't always correctly adhered to for the discussion threads
CVE-2020-8894
o Potential time skew between web server and database would cause the brute
force protection not to fire.CVE-2020-8890
Whilst investigating the above, we have identified and resolved other issues
with the brute force protection:
o Missing canonicalisation of the usernames before issuing the bruteforce
entry.CVE-2020-8891
o PUT requests for the login were skipping the protection. CVE-2020-8892
Whilst the issues identified are not deemed critical, it is highly suggested to
update and inform your peers to follow suit.
Additional sync pull filters
One of the most annoying side-effects of the synchronisation mechanism was the
potential unfiltered flow of massive amounts of aged-out data when first
pulling from a newly connected community. We have added a simple filter option
when configuring sync connections to pass event index filters along with the
sync requests. An example would be to limit the publish age of pulled data to
the desired time frame (for example: Only fetch data that is at maximum 2
months old).
New background worker configuration loading
Background workers were loading the server wide configurations on startup,
meaning that changes to server settings would not be reflected by any
background processed job unless the workers were restarted. A new helper
resolves this and loads the configuration on each job execution (Thanks to
@RichieB2B for reporting the issue).
Memory envelope improvements
When fetching data from MISP, it tries to cluster the data into smaller chunks
and fetch it piece by piece to avoid memory exhaustion and to be able to serve
the data anyway. The new release improves on the estimation, avoiding potential
memory exhaustions with larger data-sets. Potential issues are also logged from
here on.
SQL schema check improvements
Various improvements to both better inform administrators about potential
issues along with remediation scripts
A host of other improvements
A massive list of improvements to the usability of MISP, with a special thank
you to Jakub Onderka again for his endless stream of improvements.
MISP Objects templates
We received a significant number of new object templates to describe specific
additional use cases including disinformation, media and also improved HTTP
representation.
Acknowledgement
We would like to thank all the contributors, reporters and users who have
helped us in the past months to improve MISP and information sharing at large.
As always, a detailed and complete changelog is available with all the fixes,
changes and improvements.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXvql4+NLKJtyKPYoAQhJmQ//bZpXfhP8KWRpbhdqOhROX0IO+y7oDG4d
0ZnLE5PCjKNefswbha7NyxrS7HlEKGyiOvnp7oV1UitlHNjzuZNFaKO1y1HL/nHM
HxO3qg5wlS7YKjMoqw8g/+gd9Yw6K0F3nl4zeXA+kDUG8vUPnNII17UXhFkoRo/L
fpkCI42Nz+ylsN4RVmAqkiLvi/qpRUHmrrUr+JbdgDc6PPVYxUvJPBZ4LK4YdfvW
8tH14m26qeIWsdqbAgV3xp7AQZIvwGW6KVM4mdxuCBv55QqS5uSyHyf9K07sRmla
fEnoYPan9QrbVXeN9URrM2hJxqid2NLCvekRxpvwFfPv2+Jw5O7VVE2k4vZdUEEA
S3aRjiUtsYiIbFQb288BQGh572MYTEYac6M//Tn5LLBN53iROKR5nl2T1Hc9mvqd
hZQE9fMn7Fsg6fh7K5qEjqdh0ghnoqncHZc2f34AQNVkK/Eo5o82ZGf10F+2+Osi
RdNmv+0dbDARp9Vu9UoDrwji8czHQ1J/bDdQXMEmUagpGTk0sfmVrTFiij+FbJ4i
wmmKfUNk+etoWhxNL214PBNg6xpbM3wa5qRicNAl0/sE5U1YKfAdkMI9NMZgnbu1
4kkxd5eFCZRTFjbX1J1gdeEJQeUsTr5821katscy4vaO8Sh2esfxIVGDs3zeyg6Z
cgolWTv/LDs=
=D0Pv
-----END PGP SIGNATURE-----