Possible Security Issue with Cake Resque and MISP


Noted from other using MISP that if you have a / in the customized footer section specifically // which was used for classification of a system, that the system will throw errors causing Cake Resque workers to crash. It is also possible to use the same sort of method to crash the Workers by specially formatted API request as well if you inadvertantly put in // instead of / in some cases. It appears that the footer file and several others may be the reason but we have not investigated it. We just wanted to make you aware so that you can look into the error handling. We also noted that not only do the workers crash but it also causes MySQL to disconnect as well. -- Some of the logs -- ErrorHandler::handleError() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 230 include - APP/View/Elements/global_menu.ctp, line 10 View::_evaluate() - APP/Lib/cakephp/lib/Cake/View/View.php, line 971 View::_render() - APP/Lib/cakephp/lib/Cake/View/View.php, line 933 View::_renderElement() - APP/Lib/cakephp/lib/Cake/View/View.php, line 1224 View::element() - APP/Lib/cakephp/lib/Cake/View/View.php, line 418 include - APP/View/Layouts/default.ctp, line 49 View::_evaluate() - APP/Lib/cakephp/lib/Cake/View/View.php, line 971 View::_render() - APP/Lib/cakephp/lib/Cake/View/View.php, line 933 View::renderLayout() - APP/Lib/cakephp/lib/Cake/View/View.php, line 546 View::render() - APP/Lib/cakephp/lib/Cake/View/View.php, line 481 Controller::render() - APP/Lib/cakephp/lib/Cake/Controller/Controller.php, line 963 ExceptionRenderer::_outputMessage() - APP/Lib/cakephp/lib/Cake/Error/ExceptionRenderer.php, line 292 ExceptionRenderer::error500() - APP/Lib/cakephp/lib/Cake/Error/ExceptionRenderer.php, line 260 ExceptionRenderer::render() - APP/Lib/cakephp/lib/Cake/Error/ExceptionRenderer.php, line 190 ErrorHandler::handleException() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 127 [main] - [internal], line ?? 2018-01-16 14:17:02 Notice: Notice (8): Undefined variable: debugMode in [/var/www/MISP/app/View/Layouts/default.ctp, line 51] Trace: ErrorHandler::handleError() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 230 include - APP/View/Layouts/default.ctp, line 51 View::_evaluate() - APP/Lib/cakephp/lib/Cake/View/View.php, line 971 View::_render() - APP/Lib/cakephp/lib/Cake/View/View.php, line 933 View::renderLayout() - APP/Lib/cakephp/lib/Cake/View/View.php, line 546 View::render() - APP/Lib/cakephp/lib/Cake/View/View.php, line 481 Controller::render() - APP/Lib/cakephp/lib/Cake/Controller/Controller.php, line 963 ExceptionRenderer::_outputMessage() - APP/Lib/cakephp/lib/Cake/Error/ExceptionRenderer.php, line 292 ExceptionRenderer::error500() - APP/Lib/cakephp/lib/Cake/Error/ExceptionRenderer.php, line 260 ExceptionRenderer::render() - APP/Lib/cakephp/lib/Cake/Error/ExceptionRenderer.php, line 190 ErrorHandler::handleException() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 127 [main] - [internal], line ?? -- End of logs -- | Questions | Answers |---------------------------|-------------------- | Type of issue | Bug with possible security implications | OS version (server) | Ubuntu | OS version (client) | 16.04 LTS | PHP version | 7.1 | MISP version / git hash | v2.4.85 (df14f2bcb067af95a26440b672fb65ec13677688) and others | Browser | NA ### Expected behavior Would expect error handling to not shut down the workers ### Actual behavior Workers dies and do not restart ### Steps to reproduce the behavior Put // in the customized footer is one way and we were also able to crash workers using the same formatting in API request ### Logs, screenshots, configuration dump, ... We can research more but had 2 Government clients bring this to our attention when noting that classifications have // in them and when put into the custom footer cause this issue.

Note: A bug report has been submitted for this issue. We are not aware of any way to use this issue to remotely exploit a server but it could allow a remote users to crash components running on the MISP instance.

#BugResearch

27 views

Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2018 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business Jigsaw Security is an operator of WIMAX networks and is operating under license WQVC235 as a common carrier, non-common carrier and private communications operator. Jigsaw Security operates cable and satellite services. Courses may be provided by a third party authorized training partner in some cases. Some training is only available for cleared and US Citizens. Courses approved by the North Carolina Department of Public Safety Private Protective Services Board for licensing and CE credits. JPM program insurance is provided by an authorized Jigsaw Security Insurance Partner and is not underwritten by Jigsaw Security. For insurance information please contact our JPM program manager. Jigsaw Security operates a network through our NCBroadband brand.