Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug ] Authentication Bypass Vulnerability #2391

Closed
przmaz opened this issue Jun 6, 2022 · 5 comments
Closed

[Bug ] Authentication Bypass Vulnerability #2391

przmaz opened this issue Jun 6, 2022 · 5 comments
Labels
bug TheHive4 TheHive4 related issues
Milestone
4.1.21

Comments

@przmaz
Copy link

przmaz commented Jun 6, 2022

Request Type

Bug - Authentication Bypass Vulnerability

Work Environment

Question Answer
OS version (server) RedHat
OS version (client) any
Virtualized Env. any
TheHive version / git hash 4.1.16-1
Package Type Docker
Database Cassandra
Index type Elasticsearch
Browser type & version Chromium

Problem Description

It has been observed that TheHive Version: 4.1.16-1 application is vulnerable to Authentication Bypass. An attacker with an account in the application is able to log into the account of any other application user (including the administrator) which in consequence may lead to a compromise of the application and each of its users.

Steps to Reproduce

  1. Step 1 - Try to log into apllication using valid credentials for your any user.
    image

  2. step 2 - After entering credentials in the login screen and click 'Sign in', intercept the request in the web proxy tool, e.g. in Burp.
    image

  3. step 3 - In the request body, change the user's credentials: as username, enter any username that exists in the application and remove the password value.
    image

  4. step 4 - Release the request that has been modified. At this point, the browser creates a session using the previously selected user. This way, you can take over the identity of each application user without knowing their password. The only necessary condition to use a vulnerability is to have one valid credentials (the user role is not important).
    image

Possible Solutions

Authentication mechanisms and session management need to be implemented correctly as they are first line of security before entering private section of the application.

Complementary information

CWE-287: Improper Authentication https://cwe.mitre.org/data/definitions/287.html
OWASP https://www.owasp.org/index.php/Authentication_Cheat_Sheet

Date: 06.06.2022

Author: Przemysław Mazurek

Contact:mazurekprzem[at]gmail[dot]com
@przmaz przmaz added bug TheHive4 TheHive4 related issues labels Jun 6, 2022
@cyberpescadito
Copy link

Hello, this has been reported as #2353.
We don't confirm the POC of this potential vulnerability, neither red teams from various large security companies.
Everyone fall at a 401 error.
Do you have any screen record for this POC?

@fusion4bass
Copy link

Probably przmaz already sent you record but I did retest on fresh docker instance with same version:
thehiveproject/thehive4:4.1.16-1
And you're right it doesn't work ! So it must be related to our configuration which involves authentication through Active Directory.

@cyberpescadito
Copy link

Hello,
following przmaz report we found an issue and will fix in the next release.
as we did in the past, a blog post will be published with the release to explain what we do and why :-)

@us3r
Copy link

us3r commented Jun 21, 2022

the same error is on the Cortex

@us3r us3r mentioned this issue Jun 21, 2022
Closed
@To-om To-om added this to the 4.1.21 milestone Jun 22, 2022
@To-om To-om closed this as completed Jun 22, 2022
@To-om
Copy link
Contributor

To-om commented Jun 22, 2022

Fixed in 4.1.21

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug TheHive4 TheHive4 related issues
Projects
None yet
Milestone
4.1.21
Development

No branches or pull requests
5 participants
@us3r @fusion4bass @To-om @cyberpescadito @przmaz