Our good friends at Randorisec, joined by other pentesting professionals (see below), performed a fully fledged pentest of Buckfast 0 (TheHive 2.10.0) and Cortex 1.0.0 during 4 man-days spanning several weeks, starting from February 9, 2017 and ending on March 21, 2017.
They have identified several security issues detailed in their report which they privately shared with us prior to publication. As a result, we are happy to announce the immediate availability of Buckfast 2 (TheHive 2.10.2) which fixes the following vulnerabilities:
- Vertical privilege escalation (AP3): an authenticated simple user can have access to some admin menus. See issue #160 and issue #161.
- CSRF (AP8): As no anti-CSRF tokens are used, TheHive is vulnerable to CSRF attacks. See issue #158.
Cortex 1.0.0 and 1.0.1 are also affected by AP2. A new Cortex version will be released very shortly to fix it.
Additionally, Buckfast 2 fixes the following bugs:
- Issue #152: pagination does not work with 100 results per page.
- Issue #169: error when importing some MISP events due to their unexpected JSON format. This has also been fixed in MISP v2.4.71.
We have also added the following features:
- Issue #157: add persistence for task viewing options.
- Issue #174: run all analyzers on multiple observables from the observables view.
Randorisec identified 4 more security issues rated low which aren’t fixed by this release:
- Concurrent sessions allowed (AP4): we do not deem this a security vulnerability and hence we won’t fix it unless our user community request a patch.
- No account lockout policy (AP5): if you use the local authentication system, it can be brute-forced. We are going to fix this in Mellifera 1 (TheHive 2.11.1) due at the end of May 2017. In the meantime, you can use LDAP, Active Directory or both and configure a password policy on those systems.
- No password policy (AP6): as no password policy is enforced when using the local database for storing user credentials, users can set weak passwords (e.g.: containing only one character). We are going to fix this in Mellifera 1 (TheHive 2.11.1) due at the end of May 2017. In the meantime, you can use LDAP, Active Directory or both and configure a password policy on those systems.
- Information leakage (AP7): information such as installed software versions (TheHive, ElasticSearch) is publicly available. TheHive should be not be publicly accessible and access should be filtered by a firewall or a similar device for authorized IP addresses only.
If you are running Buckfast 1 or a previous version, please follow the updating instructions to update to Buckfast 2. It is actually an extremely simple operation. If you are doing a fresh installation, we have you covered as well.
Please note that Randorisec and the pentesting professionals that joined it for this pentest have no contract with TheHive Project and did not receive any compensation of any sort to perform this work. They worked on their free time as a way to contribute to the security of Free, Open Source Software projects. We’d like to wholeheartedly thank Davy Douhine, Randorisec’s CEO, ArtsSEC, Frédéric Cikala, Nicolas Mattiocco, Florent Montel and Mohamed Mrabah for their invaluable contribution.
Correction: April 21, 2017
An earlier version of this article mentioned Maximilano Soler among the professionals who joined Randorisec to perform a pentest on our products. At his request, we have removed his name and replaced it by ArtsSEC.