Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2239 MISP 2.4.12x release security updates 30 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: misp Publisher: Misp Project Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Read-only Data Access -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-14969 CVE-2020-13153 CVE-2020-10247 CVE-2020-10246 CVE-2020-8894 CVE-2020-8893 CVE-2020-8892 CVE-2020-8891 CVE-2020-8890 Original Bulletin: https://www.misp-project.org/2020/06/24/MISP.2.4.128.released.html https://www.misp-project.org/2020/06/04/MISP.2.4.126.released.html https://www.misp-project.org/2020/03/10/MISP.2.4.123.released.html https://www.misp-project.org/2020/02/12/MISP.2.4.121.released.html Comment: This bulletin contains four (4) Misp Project security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- MISP 2.4.128 released (STIX import/export refactored release edition) https://www.misp-project.org/2020/06/24/MISP.2.4.128.released.html A new version of MISP (2.4.128) has been released with a significant refactoring of the STIX import/export along with many improvements and bugs fixed. STIX 2 and 1 major refactoring and improvements A major refactoring of the STIX (version 1 and version 2) import/export has been performed by Christian Studer. We invite you to read the Changelog for the complete set of changes and improvements. The most significant change is the import of threat-actors, tools and alike. As of this version on, the import process automatically maps the data-points to existing galaxies. As an example, if a synonym of a threat-actor is found in the original STIX file, the import process will attach the existing threat-actor from the MISP galaxy library. It also works with tags. Security fix o CVE-2020-14969 <= MISP 2.4.128 - app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute. New features o [correlations] Enable CIDR correlations for port and port types ip-src ip-dst o [widget] Authentication failure widget added to provide a dashboard from D4 project. Many other improvements are documented in the complete changelog is available. Acknowledgement We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in misp-objects, misp-taxonomies and misp-galaxy. As always, a detailed and complete changelog is available with all the fixes, changes and improvements. - ------------------------------------------------------------------------------ MISP 2.4.126 released (Spring release edition) https://www.misp-project.org/2020/06/04/MISP.2.4.126.released.html A new version of MISP (2.4.126) has been released a while ago, though we have forgotten to publish a blog post about it - thanks to @coolacid for the reminder. This version includes a security fix and various quality of life improvements. Security fix - fixed XSS Fixed a persistent XSS (CVE-2020-13153) that could be triggered by correlating an attribute via the freetext import tool with an attribute that contains a javascript payload in the comment field. By hovering over the correlation, the analyst encoding the information would have the exploit triggered. Thanks to @JakubOnderka for reporting it! Tool to generate the communities webpage Being able to find the right communities is key when utilising MISP. Thanks to @cvandeplas for implementing this! experimental CLI only force pull method added It allows an administrator to issue a special kind of pull via the API that overwrites the local data with that on the remote, no matter which one is newer. No additional data gets deleted, but modifications will get reverted to the remote's state. This tool is meant as a last resort if things have gone awry with unwanted local modifications. A host of quality of life fixes A long list of improvements, fixes and new functionalities have been added, make sure to check out the changelog for an exhaustive list! Acknowledgement We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in misp-objects, misp-taxonomies and misp-galaxy. As always, a detailed and complete changelog is available with all the fixes, changes and improvements. - ------------------------------------------------------------------------------ MISP 2.4.123 released (aka the dashboard and security fix release) https://www.misp-project.org/2020/03/10/MISP.2.4.123.released.html A new version of MISP (2.4.123) has been released. This version includes various security related fixed, and a new Dashboard system. Security fixes Thanks to a pentest conducted on behalf of the Centre for Cyber Security Belgium (CCB), we have received a list of ideas to improve our security posture along with 2 vulnerabilities: o 2 XSS vulnerabilities (reported and fixed, more info via CVE-2020-10246 and CVE-2020-10247) o various improvements for our password policy o Improvements by adding preventative headers o Providing the more information to the users by revealing potential foul play We would hereby like to thank both the contracted part as well as CCB for sharing the results with us. We are always glad to receive pentest results, it's a great way for organisations to improve the security of MISP and we highly encourage everyone to MISP for potential issues and to let us know - we will do our best to fix any identified issues as soon as possible. Dashboard system As an outcome of the spread of COVID-19, we ourselves at the MISP-project team have spent a considerable amount of our free time over the past few weeks tracking the spread of and informing ourselves in regards to the outbreak. As an outcome of quickly setting up a Coronavirus-sharing community via MISP for ourselves, in order to share and track information emerging about COVID-19, we have implemented a whole new Dashboarding functionality for MISP. The new Dashboard is accessible directly in MISP and fully customisable by users. o The system relies on bundled and custom widgets o widgets work similarly to other modular parts of MISP, design your own, drop it in the MISP directory to get started o For instructions on how to develop a basic widget visit The training slide repository o Under the hood it uses the user settings system, allowing for custom configurations per user o Dashboard templates can be saved and shared, both via MISP and via JSON configuration files o Widgets come with a host of support functionalities (ACL, caching, auto-reloading, configuration systems) We welcome contributions to our ever growing widget collection from our community, let us know if you want to get involved in the effort! If you are interested in the covid-19 specific widgets, they are not included in the code-base directly, but are rather available via the new widget-collection library. Selecting your home page within MISP Users an now replace their landing page from it redirecting to the event index to any other page in MISP. We recommend the consideration of switching to the dashboard as the first point of entry. Simply navigate to the page you wish to bookmark and click on the little star icon in the header bar. A bug affecting correlations and an interesting bug hunt Due to a recently introduced bug, we had cases of correlations disappearing after an attribute edit under certain conditions (any edit not touching fields used to decide on whether to correlate an attribute). We have resolved the issue along with a full recorrelation being triggered on update, simply fetch the latest version of MISP and your instance should have the issue resolved once the job finishes. Acknowledgement We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in misp-objects, misp-taxonomies and misp-galaxy. As always, a detailed and complete changelog is available with all the fixes, changes and improvements. - ------------------------------------------------------------------------------ MISP 2.4.121 released (aka the security release) https://www.misp-project.org/2020/02/12/MISP.2.4.121.released.html A new version of MISP (2.4.121) has been released. This version is a security/ bug fix release and users are highly encouraged to update as soon as possible. Besides that several issues were resolved and some new functionalities were added. Security issues The new version includes fixes to a set of vulnerabilities, kindly reported by Dawid Czarnecki. For details, see the attached CVE information. o A reflected XSS in the galaxy view CVE-2020-8893 o ACL wasn't always correctly adhered to for the discussion threads CVE-2020-8894 o Potential time skew between web server and database would cause the brute force protection not to fire.CVE-2020-8890 Whilst investigating the above, we have identified and resolved other issues with the brute force protection: o Missing canonicalisation of the usernames before issuing the bruteforce entry.CVE-2020-8891 o PUT requests for the login were skipping the protection. CVE-2020-8892 Whilst the issues identified are not deemed critical, it is highly suggested to update and inform your peers to follow suit. Additional sync pull filters One of the most annoying side-effects of the synchronisation mechanism was the potential unfiltered flow of massive amounts of aged-out data when first pulling from a newly connected community. We have added a simple filter option when configuring sync connections to pass event index filters along with the sync requests. An example would be to limit the publish age of pulled data to the desired time frame (for example: Only fetch data that is at maximum 2 months old). New background worker configuration loading Background workers were loading the server wide configurations on startup, meaning that changes to server settings would not be reflected by any background processed job unless the workers were restarted. A new helper resolves this and loads the configuration on each job execution (Thanks to @RichieB2B for reporting the issue). Memory envelope improvements When fetching data from MISP, it tries to cluster the data into smaller chunks and fetch it piece by piece to avoid memory exhaustion and to be able to serve the data anyway. The new release improves on the estimation, avoiding potential memory exhaustions with larger data-sets. Potential issues are also logged from here on. SQL schema check improvements Various improvements to both better inform administrators about potential issues along with remediation scripts A host of other improvements A massive list of improvements to the usability of MISP, with a special thank you to Jakub Onderka again for his endless stream of improvements. MISP Objects templates We received a significant number of new object templates to describe specific additional use cases including disinformation, media and also improved HTTP representation. Acknowledgement We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. As always, a detailed and complete changelog is available with all the fixes, changes and improvements. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXvql4+NLKJtyKPYoAQhJmQ//bZpXfhP8KWRpbhdqOhROX0IO+y7oDG4d 0ZnLE5PCjKNefswbha7NyxrS7HlEKGyiOvnp7oV1UitlHNjzuZNFaKO1y1HL/nHM HxO3qg5wlS7YKjMoqw8g/+gd9Yw6K0F3nl4zeXA+kDUG8vUPnNII17UXhFkoRo/L fpkCI42Nz+ylsN4RVmAqkiLvi/qpRUHmrrUr+JbdgDc6PPVYxUvJPBZ4LK4YdfvW 8tH14m26qeIWsdqbAgV3xp7AQZIvwGW6KVM4mdxuCBv55QqS5uSyHyf9K07sRmla fEnoYPan9QrbVXeN9URrM2hJxqid2NLCvekRxpvwFfPv2+Jw5O7VVE2k4vZdUEEA S3aRjiUtsYiIbFQb288BQGh572MYTEYac6M//Tn5LLBN53iROKR5nl2T1Hc9mvqd hZQE9fMn7Fsg6fh7K5qEjqdh0ghnoqncHZc2f34AQNVkK/Eo5o82ZGf10F+2+Osi RdNmv+0dbDARp9Vu9UoDrwji8czHQ1J/bDdQXMEmUagpGTk0sfmVrTFiij+FbJ4i wmmKfUNk+etoWhxNL214PBNg6xpbM3wa5qRicNAl0/sE5U1YKfAdkMI9NMZgnbu1 4kkxd5eFCZRTFjbX1J1gdeEJQeUsTr5821katscy4vaO8Sh2esfxIVGDs3zeyg6Z cgolWTv/LDs= =D0Pv -----END PGP SIGNATURE-----