Possible Security Issue with Cake Resque and MISP


Noted from other using MISP that if you have a / in the customized footer section specifically // which was used for classification of a system, that the system will throw errors causing Cake Resque workers to crash. It is also possible to use the same sort of method to crash the Workers by specially formatted API request as well if you inadvertantly put in // instead of / in some cases. It appears that the footer file and several others may be the reason but we have not investigated it. We just wanted to make you aware so that you can look into the error handling. We also noted that not only do the workers crash but it also causes MySQL to disconnect as well. -- Some of the logs -- ErrorHandler::handleError() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 230 include - APP/View/Elements/global_menu.ctp, line 10 View::_evaluate() - APP/Lib/cakephp/lib/Cake/View/View.php, line 971 View::_render() - APP/Lib/cakephp/lib/Cake/View/View.php, line 933 View::_renderElement() - APP/Lib/cakephp/lib/Cake/View/View.php, line 1224 View::element() - APP/Lib/cakephp/lib/Cake/View/View.php, line 418 include - APP/View/Layouts/default.ctp, line 49 View::_evaluate() - APP/Lib/cakephp/lib/Cake/View/View.php, line 971 View::_render() - APP/Lib/cakephp/lib/Cake/View/View.php, line 933 View::renderLayout() - APP/Lib/cakephp/lib/Cake/View/View.php, line 546 View::render() - APP/Lib/cakephp/lib/Cake/View/View.php, line 481 Controller::render() - APP/Lib/cakephp/lib/Cake/Controller/Controller.php, line 963 ExceptionRenderer::_outputMessage() - APP/Lib/cakephp/lib/Cake/Error/ExceptionRenderer.php, line 292 ExceptionRenderer::error500() - APP/Lib/cakephp/lib/Cake/Error/ExceptionRenderer.php, line 260 ExceptionRenderer::render() - APP/Lib/cakephp/lib/Cake/Error/ExceptionRenderer.php, line 190 ErrorHandler::handleException() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 127 [main] - [internal], line ?? 2018-01-16 14:17:02 Notice: Notice (8): Undefined variable: debugMode in [/var/www/MISP/app/View/Layouts/default.ctp, line 51] Trace: ErrorHandler::handleError() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 230 include - APP/View/Layouts/default.ctp, line 51 View::_evaluate() - APP/Lib/cakephp/lib/Cake/View/View.php, line 971 View::_render() - APP/Lib/cakephp/lib/Cake/View/View.php, line 933 View::renderLayout() - APP/Lib/cakephp/lib/Cake/View/View.php, line 546 View::render() - APP/Lib/cakephp/lib/Cake/View/View.php, line 481 Controller::render() - APP/Lib/cakephp/lib/Cake/Controller/Controller.php, line 963 ExceptionRenderer::_outputMessage() - APP/Lib/cakephp/lib/Cake/Error/ExceptionRenderer.php, line 292 ExceptionRenderer::error500() - APP/Lib/cakephp/lib/Cake/Error/ExceptionRenderer.php, line 260 ExceptionRenderer::render() - APP/Lib/cakephp/lib/Cake/Error/ExceptionRenderer.php, line 190 ErrorHandler::handleException() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 127 [main] - [internal], line ?? -- End of logs -- | Questions | Answers |---------------------------|-------------------- | Type of issue | Bug with possible security implications | OS version (server) | Ubuntu | OS version (client) | 16.04 LTS | PHP version | 7.1 | MISP version / git hash | v2.4.85 (df14f2bcb067af95a26440b672fb65ec13677688) and others | Browser | NA ### Expected behavior Would expect error handling to not shut down the workers ### Actual behavior Workers dies and do not restart ### Steps to reproduce the behavior Put // in the customized footer is one way and we were also able to crash workers using the same formatting in API request ### Logs, screenshots, configuration dump, ... We can research more but had 2 Government clients bring this to our attention when noting that classifications have // in them and when put into the custom footer cause this issue.

Note: A bug report has been submitted for this issue. We are not aware of any way to use this issue to remotely exploit a server but it could allow a remote users to crash components running on the MISP instance.

#BugResearch

34 views

Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2020 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business