Privilege Escalation Vulnerability in All Versions of TheHive

Jeffrey Everling has identified a nasty privilege escalation vulnerability in all versions of TheHive, including Mellifera 13.2 (TheHive 2.13.2) and Cerana 0.2 (TheHive 3.0.2). Jeffrey reported it to us today Friday, Dec 22, 2017. Thanks but we could think of a better Christmas gift ūüėČ

The vulnerability allows users with read-only or read/write access to escalate their privileges and eventually become administrators. To exploit it, an attacker must have access to an account on TheHive with read-only or read/write privileges.

The attacker needs to interact with the API in a specific though trivial way to obtain administrator privileges. After verifying that their request has been correctly processed, they connect to TheHive using the Web UI and they will see the administrator menu from where they can edit or lock user accounts, add case templates, etc.

We highly recommend you update TheHive to Cerana 0.3 (TheHive 3.0.3) which fixes the vulnerability. If you are still using Mellifera and have not made the move to Cerana yet, please update to Mellifera 13.3 (TheHive 2.13.3) which also corrects this flaw.

If you cannot immediately apply the hotfixes we have released, we have created a shell script that will allow you to spot anyone who exploited the vulnerability. You can download the script from the following location:

https://drive.google.com/file/d/1F8VOUMLoCVnIdHjnbhMTzf_9Z2Ud_Vuw/view?usp=sharing

The SHA256 hash of the script is:

18c74f921b92cc68ea7bc10c7522691d671074331191fe22269cc936bfdb0e9a

When you run the script, it will display all users that have changed their roles. If a single match is found, it means your  instance  has  been  potentially compromised. We advise you to create a crontab which will execute the script on a regular basis until you apply the hotfixes.

To Upgrade to Cerana 0.3 (TheHive 3.0.3)

Start by following the migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

To Upgrade to Mellifera 13.3 (TheHive 2.13.3)

DEB Package

wget¬†https://dl.bintray.com/cert-bdf/debian/TheHive_2.13.3-1_all.deb‚Äč‚Äč‚Äč‚Äč‚Äčdpkg -i¬†TheHive_2.13.3-1_all.deb

The SHA256 hash of the DEB package is:

68c606fb9cbd56f63ba1f2d29c7f7652f4848c7783a6da574532bed0c963829b

RPM Package

wget https://dl.bintray.com/cert-bdf/rpm/thehive-2.13.3-1.noarch.rpm
rpm -Uvh thehive-2.13.3-1.noarch.rpm

The SHA256 hash of the RPM package is:

e566418bf861b2bf28842cf92f5c5d475c98fee1a3ae0d65e3990fd061a0bce0

Docker

docker run certbdf/thehive:2.13.3-1

Binary Package

wget https://dl.bintray.com/cert-bdf/thehive/thehive-2.13.3.zip

The SHA256 hash of the binary package is:

54c589f929744096b50d01264b9d4cc8b9e3d30d397fe810879b4d16b81287c1

Unzip the file in the folder of your choosing.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

The Perfect Christmas Gift

George Abitbol* doesn’t feel well. Christmas is approaching at a fast pace and the gift he ordered days ago for his girlfriend didn’t find its way to his mailbox yet. He checked it out three times today and save for some spam catalogues on how to take care of his handsome silhouette, nothing resembling a gift showed up.

IMG_4107.jpg
Picture by Sa√Ęd Kadhi

He tried to call the French parcel service to know the whereabouts of the luxurious, limited version of the organic sweet potato chips his lovely Jacqueline* likes so much, which sells for four times the regular price (to bear the cost of the enhanced packaging, certainly), but he couldn’t get hold of a living soul all day long. When he placed the order, the delivery was supposed to be lightning fast. It turned out to be a false promise.

With a sinking heart, he climbs back the stairs leading to his apartment, fetches his laptop and sits on his club chair. With his headphones on, immersed in the wonderful jazz of Christian Scott, he wanders randomly through online shopping sites trying to make out his mind on what other presents he could get for his dear Jacqueline, in time for Christmas.

In the middle of the track called Encryption, featuring the uncanny Elena Pinderhugues on flute, a Twitter notification resonates in his ears. He checks it out and learn that TheHive Chefs, as true and elegant gentlemen, have published a new training VM for Cerana 0.3 (a.k.a. TheHive 3.0.3), including Cortex 1.1.4 and the latest set of Cortex-Analyzers.

George loves bees in all shapes and forms, including digital ones so he swiftly downloads the new VM and as the cautious person he is, he verifies the file’s SHA256 hash: 86a87b70627e8db672c57cb57821461f2564ae9b8087cc22fdd1e7a599c16aed. Wonderful! Everything checks out beautifully. He then imports the file in his VM software, starts the virtual machine and logs in as thehive then types in thehive1234 when asked for the password.

He thoroughly reads the documentation to configure various analyzers and integrate his favourite Security Incident Response Platform with MISP.  A few minutes later, his VM is ready for prime time and he starts playing with the new multi-source dashboards and interacting with fellow analysts on Gitter.

And he totally forgets about Jacqueline’s gift.

(*) Any resemblance to real and actual names is purely coincidental.

Correction: Dec 23, 2017
An earlier version of this post was referring to a previous training VM that included Cerana 0.2, a version affected by a privilege escalation vulnerability which was corrected in Cerana 0.3. Some typos were corrected as well.

Cerana: a Sneak Peek

Initially planned for Nov 17, 2017, Cerana, the next major release of TheHive, is delayed by a few days for three reasons: fixing a few minor but nonetheless irking bugs, quality assurance, and adding small but nice features that would have otherwise required a new database migration a short while after performing one during the upgrade to this new version.

The new release date for Cerana (TheHive 3.0.0) is Dec 5, 2017, the same day we’ll have our second joint workshop with the fine people of the MISP Project during the Botconf conference in Montpellier, France (food, wine, sightseeing… well you get the picture).

If we should mention a single major Cerana feature to convince you to install it or take it for a spin, that would be dynamic dashboards, with no hesitation.

While it was enough for a start, the Statistics¬†module¬†doesn’t take advantage of the underlying Elasticsearch storage and the many ways we can play with all the data that analysts keep feeding to TheHive. Not only that but what about¬†custom fields, alerts, and so on? Enter¬†Dynamic Dashboards.

 

alerts.jpg
Dynamic Dashboards – Alert types and sources

To put it simply, Cerana will allow you to analyze TheHive data (almost) any way you want and chart it using different options: how many alerts of a certain type have been received during a given period? Over all the cases that are recorded within TheHive, how many observables with a specific tag and flagged as IOCs are there? …

 

Dashboards can be private to an analyst, shared with fellow TheHive users, imported from another instance and exported. By adding the import/export feature, we hope to foster sharing within TheHive community where teams would impart useful dashboards to their peers. Graphs can also be saved as images to add to reports.

observable_sources
Dynamic Dashboards – Sources of observables

To alleviate upgrades, Cerana will come with a few dashboards out of the box to mimic the¬†Statistics¬†module hence you won’t lose existing functionality when you make the move. At this stage, we’d like to remind you that we only support the current release and the previous one. When Cerana will be published, we’ll obviously support it (genius,¬†n’est-ce pas ?) as well as Mellifera 2.13.2. Nothing else.

cases.png
Dynamic Dashboards – Case status, resolution and impact

Cerana will also give you the ability to import and export case templates, a feature that has been requested by our growing user base. This could be a first step towards a global repository where case templates can be shared, refined and created according to common standards, regulations or compliance requirements. Think LPM in France, NIS in Europe, GDPR, etc. Case templates will also be improved to contain default metrics values if needed and automatically assign tasks to given analysts.

Another addition worth mentioning is the sighted flag for IOCs. When an analyst flags an observable as IOC and as sighted, it means that observable is not simply something coming from a sandbox analysis (think C2) or from a 3rd party but was confirmed as being used by a threat actor in your network. In a later release, exporting cases to MISP instances will make use of this new flag to feed MISP attribute sightings. The sighted value will also be used in the future to improve alert previewing.

Last but not least, Cerana will supervise the ‘health’ of the Cortex and MISP instances it is integrated with. The Cortex and MISP logos at the bottom right corner of TheHive UI appear when integration with those products is enabled. They will also have a coloured circle to indicate health:

  • Green: TheHive can reach all of the configured Cortex/MISP instances.
  • Orange: TheHive cannot reach all of them.
  • Red: no instance can be reached.

There are other areas (the¬†About¬†page, the observable analysis buttons…) where the health of Cortex and/or MISP can be monitored.

Now, if you don’t mind, we have some coding to do. We’d better get back to it if we want to give you a luscious release.¬†√Ä bient√īt !