In December 2017, we published a fix for a nasty privilege escalation vulnerability, namely THP-SEC-ADV-2017-001.
On Tuesday May 21, 2019, it came back to bite us like a dead that doesn’t die when Adam Mariš reported it was still possible to do a privilege escalation in all versions of TheHive, including version 3.3.0.
After analysis, we found that THP-SEC-ADV-2017-001 did not address the full scope of the vulnerability. Adam hit the nail on the head – be like Adam! 👏
We have released a hotfix for the last version of TheHive which completely puts the dead to rest once and for all and we sincerely apologise for the issue.
What’s THP-SEC-ADV-2017-001?
The vulnerability allows users with read-only or read/write access to escalate their privileges and eventually become administrators. To exploit it, an attacker must have access to an account on TheHive with read-only or read/write privileges.
The attacker needs to interact with the API in a specific yet trivial way to obtain administrator privileges. After verifying that their request has been correctly processed, they connect to TheHive using the Web UI and they will see the administrator menu from where they can edit or lock user accounts, add case templates, etc.
And Now What?
We highly recommend you to update to TheHive 3.3.1 which completely fixes the vulnerability. If you are still using TheHive 2.x and have not made the move to TheHive 3 yet, please update to TheHive 2.13.4 which also addresses this flaw.
If you cannot immediately apply the hotfixes we have released, a shell script is still available and will allow you to spot anyone who exploited the vulnerability. You can download this script from the following location:
https://drive.google.com/file/d/1F8VOUMLoCVnIdHjnbhMTzf_9Z2Ud_Vuw/view?usp=sharing
The SHA256 hash of the script is:
18c74f921b92cc68ea7bc10c7522691d671074331191fe22269cc936bfdb0e9a
When you run the script, it will display all users that have changed their roles. If a single match is found, it means your instance has been potentially compromised. We advise you to create a crontab which will execute the script on a regular basis until you apply the hotfixes.
If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.
If you are using TheHive 3.x, upgrade to TheHive 3.3.1 by updating the binary package on your system.
Support
Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.
TheHive Project 