It’s a sunny week in Paris, France (not Texas) barring the tropical rain that washed out the city earlier this morning. And when there’s sun in France, there’s happiness and… coding of course (what else?). The French Chefs of TheHive Project seem to be in a good mood (n’est-ce pas Jérôme ?), thanks to the vitamin D extra charge they got for free from the big star up above.
Version 1.2.2 of the Python API client for TheHive is now available. It mainly fixes issues related to missing Python dependencies and adds support for creating alerts containing files for Python 3.
To update your existing package:
$ sudo pip install thehive4py --upgrade
If you are just getting started with TheHive4py, you can forgo the --upgrade at the end of the command above.
Houston? Are you There?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. As usual, we’ll be more than happy to help!
Thanks to the invaluable contributions of our growing and thriving user community, Cortex has now 6 more analyzers, bringing the total to 21. The new analyzers, released under our usual AGPL v3 license, are:
CIRCLPassiveDNS
CIRCLPassiveSSL
GoogleSafebrowsing
Nessus
Virusshare
Yara
All but one have been submitted by Nils Kuhnert of CERT-Bund. The Nessus analyzer has been contributed by our long-time friend Guillaume Rousse.
Cortexutils 1.1.0
While reviewing the submissions, we realized that a new version of the Cortexutils library was needed in order to support both Python 2 and 3. Hence we released version 1.1.0. You can grab it through PIP. To update your existing installation, please run the following command:
sudo pip install cortexutils --upgrade
Note that Cortexutils 1.1.0 is required to benefit from these analyzers and future ones. If you are performing a fresh Cortex installation, follow the guide.
Installation
To install the new analyzers, grab the Cortex-Analyzers repository and unpack its content (or git pull the master branch) in your existing /path/to/cortex-analyzers. Then follow the Cortex analyzers guide.
New Short and Long Report Templates for TheHive
Short and long reports for TheHive were also created to parse and display the results produced by the new analyzers. We also bundled in the new package a URL analysis template for Joe Sandbox which was missing and improved some of the older short templates in order to follow a taxonomy.
To import the new report templates in your instance of TheHive:
click on Import templates button and select the downloaded package
CIRCLPassiveDNS
The CIRCLPassiveDNS analyzer lets you check the CIRCL’s Passive DNS service for a given domain. It takes domains and URLs as input. Access to the service is allowed to trusted partners in Luxembourg and abroad. If you think you qualify, please contact the good CIRCL folks. To make it work, you’ll need the pypdns Python library.
In order to take advantage of CIRCLPassiveDNS, you need to add the following section to the Cortex configuration file (application.conf):
CIRCLPassiveDNS {
user=""
password=""
}
When called from TheHive, the following output is produced:
TheHive: CIRCLPassiveDNS Analyzer – Short and Long Report Samples
CIRCLPassiveSSL
The CIRCLPassiveSSL analyzer lets you check CIRCL’s Passive SSL service for a given IP address or certificate hash. Access to the service is restricted to partners and security researchers worldwide. If you think you qualify, please contact the good CIRCL folks. This analyzer needs the pypssl Python library to work properly.
To use it, please add the following section to the Cortex configuration file (application.conf):
CIRCLPassiveSSL {
user=""
password=""
}
When called from TheHive, the following output is produced:
TheHive: CIRCLPassiveSSL Analyzer – Short and Long Report Samples
To leverage GoogleSafebrowsing, add the following section to Cortex’ configuration file:
GoogleSafebrowsing{
key=""}
When you run the analyzer fromTheHive, you should see output similar to the samples below:
TheHive: GoogleSafebrowsing Analyzer — Short and Long Report Samples
Nessus
The Nessus analyzer lets you leverage Tenable’s Nessus Vulnerability Scanner to scan an IP address or a FQDN. Of course, you must not scan assets that do not belong to you, unless you really know what you are doing. That’s why safeguards were built in the analyzer’s configuration:
The nessrest Python library is needed to make REST API calls to Nessus. Analysts would use the analyzer to assess the vulnerabilities of potentially compromised machines or new, unknown assets that have been plugged into one of their constituency’s networks. Of course, penetration testers conducting large-scale reconnaissance can also benefit from this analyzer.
TheHive: Nessus Analyzer — Short and Long Report Samples
Virusshare
The Virusshare analyzer lets you verify whether a file or hash is available on VirusShare.com. It requires the progressbar2 Python library besides requests (which should be already installed if you have an existing Cortex installation). As stated by Nils:
This analyzer enables searching for md5 hashes in Virusshare.com hash list. It does not download samples for you nor links directly to the sample – the author of virusshare prohibits the automatic download/site scraping and I respect that. It provides a button to start the virusshare search, though, but you need an account for that. You can request an invitation to the platform through contacting the admin via mail, directly.
To use it, add the following section to your Cortex application.conf:
Virusshare {
path="/path/to/download/directory"
}
Quoting Nils again, in order to download the newest available hash lists from virusshare.com, you can run the download_hashes.py script that comes with the analyzer.
Upon running the analyzer from TheHive, the report will contain a link to the corresponding Virusshare page if a match is found as shown below.
TheHive: Virusshare Analyzer — Long Report Sample
Yara
Last but not least, the Yara analyzer can check files against YARA rules using yara-python. To use it, add the following to your Cortex configuration file:
You can specify path to directories and files. If you supply a directory, the analyzer expects to find an index.yar or index.yas file. The index file can include other rule files. An example can be found in the Yara-rules repository.
TheHive: Yara Analyzer — Short and Long Report Samples
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
Our good friends at Randorisec, joined by other pentesting professionals (see below), performed a fully fledged pentest of Buckfast 0 (TheHive 2.10.0) and Cortex 1.0.0 during 4 man-days spanning several weeks, starting from February 9, 2017 and ending on March 21, 2017.
They have identified several security issues detailed in their report which they privately shared with us prior to publication. As a result, we are happy to announce the immediate availability of Buckfast 2 (TheHive 2.10.2) which fixes the following vulnerabilities:
Stored XSS (ref. AP1 in the report) and Reflected XSS (AP2): malicious JavaScript code can be injected. It will be then executed on the victim’s browser. See issue #159 for more details.
Vertical privilege escalation (AP3): an authenticated simple user can have access to some admin menus. See issue #160 and issue #161.
CSRF (AP8): As no anti-CSRF tokens are used, TheHive is vulnerable to CSRF attacks. See issue #158.
Cortex 1.0.0 and 1.0.1 are also affected by AP2. A new Cortex version will be released very shortly to fix it.
Additionally, Buckfast 2 fixes the following bugs:
Issue #152: pagination does not work with 100 results per page.
Issue #169: error when importing some MISP events due to their unexpected JSON format. This has also been fixed in MISP v2.4.71.
We have also added the following features:
Issue #157: add persistence for task viewing options.
Issue #174: run all analyzers on multiple observables from the observables view.
Randorisec identified 4 more security issues rated low which aren’t fixed by this release:
Concurrent sessions allowed (AP4): we do not deem this a security vulnerability and hence we won’t fix it unless our user community request a patch.
No account lockout policy (AP5): if you use the local authentication system, it can be brute-forced. We are going to fix this in Mellifera 1 (TheHive 2.11.1) due at the end of May 2017. In the meantime, you can use LDAP, Active Directory or both and configure a password policy on those systems.
No password policy (AP6): as no password policy is enforced when using the local database for storing user credentials, users can set weak passwords (e.g.: containing only one character). We are going to fix this in Mellifera 1 (TheHive 2.11.1) due at the end of May 2017. In the meantime, you can use LDAP, Active Directory or both and configure a password policy on those systems.
Information leakage (AP7): information such as installed software versions (TheHive, ElasticSearch) is publicly available. TheHive should be not be publicly accessible and access should be filtered by a firewall or a similar device for authorized IP addresses only.
If you are running Buckfast 1 or a previous version, please follow the updating instructions to update to Buckfast 2. It is actually an extremely simple operation. If you are doing a fresh installation, we have you covered as well.
Please note that Randorisec and the pentesting professionals that joined it for this pentest have no contract with TheHive Project and did not receive any compensation of any sort to perform this work. They worked on their free time as a way to contribute to the security of Free, Open Source Software projects. We’d like to wholeheartedly thank Davy Douhine, Randorisec’s CEO, ArtsSEC, Frédéric Cikala, Nicolas Mattiocco, Florent Montel and Mohamed Mrabah for their invaluable contribution.
Correction: April 21, 2017
An earlier version of this article mentioned Maximilano Soler among the professionals who joined Randorisec to perform a pentest on our products. At his request, we have removed his name and replaced it by ArtsSEC.
TheHive Project 