search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.28k stars 605 forks source link

[Bug ] Authentication Bypass Vulnerability #2391

Closed przmaz closed 2 years ago

przmaz commented 2 years ago

Request Type

Bug - Authentication Bypass Vulnerability

Work Environment

Question Answer
OS version (server) RedHat
OS version (client) any
Virtualized Env. any
TheHive version / git hash 4.1.16-1
Package Type Docker
Database Cassandra
Index type Elasticsearch
Browser type & version Chromium

Problem Description

It has been observed that TheHive Version: 4.1.16-1 application is vulnerable to Authentication Bypass. An attacker with an account in the application is able to log into the account of any other application user (including the administrator) which in consequence may lead to a compromise of the application and each of its users.

Steps to Reproduce

  1. Step 1 - Try to log into apllication using valid credentials for your any user. image

  2. step 2 - After entering credentials in the login screen and click 'Sign in', intercept the request in the web proxy tool, e.g. in Burp. image

  3. step 3 - In the request body, change the user's credentials: as username, enter any username that exists in the application and remove the password value. image

  4. step 4 - Release the request that has been modified. At this point, the browser creates a session using the previously selected user. This way, you can take over the identity of each application user without knowing their password. The only necessary condition to use a vulnerability is to have one valid credentials (the user role is not important). image

Possible Solutions

Authentication mechanisms and session management need to be implemented correctly as they are first line of security before entering private section of the application.

Complementary information

CWE-287: Improper Authentication https://cwe.mitre.org/data/definitions/287.html OWASP https://www.owasp.org/index.php/Authentication_Cheat_Sheet

Date: 06.06.2022

Author: Przemysław Mazurek

Contact:mazurekprzem[at]gmail[dot]com

cyberpescadito commented 2 years ago

Hello, this has been reported as #2353. We don't confirm the POC of this potential vulnerability, neither red teams from various large security companies. Everyone fall at a 401 error. Do you have any screen record for this POC?

fusion4bass commented 2 years ago

Probably przmaz already sent you record but I did retest on fresh docker instance with same version: thehiveproject/thehive4:4.1.16-1 And you're right it doesn't work ! So it must be related to our configuration which involves authentication through Active Directory.

cyberpescadito commented 2 years ago

Hello, following przmaz report we found an issue and will fix in the next release. as we did in the past, a blog post will be published with the release to explain what we do and why :-)

us3r commented 2 years ago

the same error is on the Cortex

To-om commented 2 years ago

Fixed in 4.1.21