Privilege Escalation Vulnerability in All Versions of TheHive

Jeffrey Everling has identified a nasty privilege escalation vulnerability in all versions of TheHive, including Mellifera 13.2 (TheHive 2.13.2) and Cerana 0.2 (TheHive 3.0.2). Jeffrey reported it to us today Friday, Dec 22, 2017. Thanks but we could think of a better Christmas gift 😉

The vulnerability allows users with read-only or read/write access to escalate their privileges and eventually become administrators. To exploit it, an attacker must have access to an account on TheHive with read-only or read/write privileges.

The attacker needs to interact with the API in a specific though trivial way to obtain administrator privileges. After verifying that their request has been correctly processed, they connect to TheHive using the Web UI and they will see the administrator menu from where they can edit or lock user accounts, add case templates, etc.

We highly recommend you update TheHive to Cerana 0.3 (TheHive 3.0.3) which fixes the vulnerability. If you are still using Mellifera and have not made the move to Cerana yet, please update to Mellifera 13.3 (TheHive 2.13.3) which also corrects this flaw.

If you cannot immediately apply the hotfixes we have released, we have created a shell script that will allow you to spot anyone who exploited the vulnerability. You can download the script from the following location:

https://drive.google.com/file/d/1F8VOUMLoCVnIdHjnbhMTzf_9Z2Ud_Vuw/view?usp=sharing

The SHA256 hash of the script is:

18c74f921b92cc68ea7bc10c7522691d671074331191fe22269cc936bfdb0e9a

When you run the script, it will display all users that have changed their roles. If a single match is found, it means your instance has been potentially compromised. We advise you to create a crontab which will execute the script on a regular basis until you apply the hotfixes.

To Upgrade to Cerana 0.3 (TheHive 3.0.3)

Start by following the migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

To Upgrade to Mellifera 13.3 (TheHive 2.13.3)

DEB Package

wget https://dl.bintray.com/cert-bdf/debian/TheHive_2.13.3-1_all.debdpkg -i TheHive_2.13.3-1_all.deb

The SHA256 hash of the DEB package is:

68c606fb9cbd56f63ba1f2d29c7f7652f4848c7783a6da574532bed0c963829b

RPM Package

wget https://dl.bintray.com/cert-bdf/rpm/thehive-2.13.3-1.noarch.rpm
rpm -Uvh thehive-2.13.3-1.noarch.rpm

The SHA256 hash of the RPM package is:

e566418bf861b2bf28842cf92f5c5d475c98fee1a3ae0d65e3990fd061a0bce0

Docker

docker run certbdf/thehive:2.13.3-1

Binary Package

wget https://dl.bintray.com/cert-bdf/thehive/thehive-2.13.3.zip

The SHA256 hash of the binary package is:

54c589f929744096b50d01264b9d4cc8b9e3d30d397fe810879b4d16b81287c1

Unzip the file in the folder of your choosing.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

TheHive4py 1.3.0 is Here

Version 1.3.0 of the Python API client for TheHive is now available. It is compatible with the freshly released Mellifera 13. This new release includes the changes outlined below.

To update your existing package:

$ sudo pip install thehive4py --upgrade

If you are just getting started with TheHive4py, you can forgo the --upgrade at the end of the command above.

New Features

Add more options to sort, filter and paginate case tasks and observables
Add a find_alerts method to allow querying alerts
Add support to API Key authentication mechanism

Bug Fixes

Added verify parameter to calls

Breaking Changes

The `get_case_tasks` method has been made consistent with all the other methods and now returns a `Response` object instead of a JSON dict.

Houston? Are you There?

Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. As usual, we’ll be more than happy to help!

C’est La Vie !

Earlier today, we released Mellifera 12.1. Shortly after, we published 3 new Cortex analyzers: WOT, YETI and Cuckoo Sandbox.

It’s time for us to rest. We are closing* TheHive’s code kitchen for most of August 2017 to enjoy all what France has to offer: wine (obviously), literature, beaches, mountains, gorgeous food, and a unique savoir vivre.

So keep calm and eat croissants.

See you back soon. Au revoir !
—
(*) Bear with us as we will be particularly slow to respond to support and feature requests as well as Gitter queries.

Train till you Drain: TheHive & Cortex VM

Rejoice folks! You can now play with TheHive & Cortex thanks to the test VM we created. It includes Mellifera 12, the latest major version of TheHive, Cortex 1.1.3, the latest Cortex analyzers with all dependencies and ElasticSearch installed on top of Ubuntu 16.04 with Oracle JRE 8.

The test VM is intended to be used… well… for testing or training purposes. We strongly encourage you to refrain from using it for production.

Get It

You can download the VM from the following location:

https://drive.google.com/file/d/0B3G-Due88gfQYWR6WVlkLWhRemM/view?usp=sharing

To ensure that your download went through nicely, check the file’s SHA256 hash which must be equal to the following value:

17df5989d852583e3046daefb97caadff90d30ecf4402df69cf6036d7ad1cacd

The system’s login is thehive and the associated password is thehive1234.

Use It

You can start using TheHive & Cortex once the VM is started. To access TheHive, point your browser to the following URL:

http://IP_OF_VM:9000

For Cortex, the port is 9999:

http://IP_OF_VM:9999

Configure TheHive

The first time you access TheHive, you’ll need to create the associated database by clicking on the Update Database button as shown below:

Update TheHive’s Database on First Access

TheHive’s configuration file is located in /etc/thehive/application.conf. For additional configuration, read the docs.

Cortex

TheHive is already configured to use the local Cortex service.

Analyzer and Associated Report Templates

To fully benefit from the analyzers, you should install the associated report templates:

download the report template package
log in TheHive using an administrator account
go to Admin > Report templates menu
click on Import templates button and select the downloaded package

Plug it with MISP

The test VM does not contain a MISP instance and none is configured in TheHive’s configuration file. To play with MISP, you may want to use the VM our good friends at CIRCL provide. Once you’ve downloaded it or if you have an existing instance, edit /etc/thehive/application.conf and follow the configuration guide.

Restart or Go Mad

After each modification of /etc/thehive/application.conf do not forget to restart the service:

$ sudo service thehive restart

Troubles?

TheHive service logs are located in /var/log/thehive/application.log.

Configure Cortex

All available analyzers are installed with their dependencies, but none is configured. To configure analyzers, edit /etc/cortex/application.conf and follow the configuration guide.

Restart or Go Mad

After each modification of /etc/cortex/application.conf do not forget to restart the service:

$ sudo service cortex restart

Troubles?

Cortex service logs are located in /var/log/cortex/application.log.

Need Help?

Something does not work as expected? No worries, we got you covered. Please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Correction: July 8, 2017
An earlier version of this post offered to download the VM from Dropbox but they suspended the associated link due to seemingly heavy traffic. The post was updated to replace the Dropbox link with a Google Drive one.

Mellifera 12: The MAGA Edition

TheHive Project French Chefs are very happy to announce Mellifera 12, a brand new, all shiny, major version of TheHive.

This MAGA (Make Analysis Great Again) edition of your (soon to be?) favorite Security Incident Response Platform (SIRP) contains an awful lot of changes and improvements. While you can read the full changelog while waiting in line for your burger at HopDoddy or for your turn for the latest Disney attraction, we’d like to concentrate on a few features that would make you enjoy Digital Forensics & Incident Response like never before 🙂

Go Short or Go North

The Observables tab can now display the short (a.k.a. mini) reports produced by analyzers. Whenever you run an analysis (or many), the mini-reports will be shown as soon as the corresponding analyzer jobs have successfully finished. That way, you no longer have to click on each observable to access the short report.

sc-Mellifera12-#131.png — Short Reports shown on the Observables Tab

In fact, you don’t even have to click on the observable to access the long reports. You must simply click on the corresponding short report and the long one will be displayed on top of the observables tab as shown in the following screencast. Ain’t that nifty?

sc-Mellifera12-#191-2.png — A Single Click on the Short Report Shows the Long One

The short reports have been also improved to follow a taxonomy. To get to this stage, we had to review all 24 analyzers and their flavors, add new functionality to the CortexUtils Python library and improve the analyzers to add a summary section to their JSON output which Mellifera 12 interprets and displays according to a color code as described in our previous post. Please make sure to read it as it contains important information on how to update your cortexutils version and the analyzers as well as the report templates.

Is This Alert New or What?

Mellifera 12 introduces an important feature pertaining to alerts. To put it simply, whenever you receive a new alert from MISP, email, SIEM or any other source that you have connected with TheHive, the alert preview page will tell you if there are similarities with existing cases and if so, Mellifera 12 will let you import the new alert in the existing case and any updates made to that alert (think of an ongoing MISP event) will be automatically added to the case.

sc-mellifera12-#232.png — Alert Preview Page with the new Similar cases Section

Template this, Template that

In addition to the ‘similarity’ feature outlined above, Mellifera 12 lets you choose the case template to use when importing a new alert instead of having to use only a specific case template per alert type/source.

sc-mellifera12-#232-2.png — Choose the Template You’d Like to Use to Import an Alert

Custom Fields

We heard our community and implemented a feature that was requested by several users: custom fields.

So you’d like to add a business impact to a specific type of cases? Or a set of TTPs? Or a Threat Actor? Or specify a Business Unit? No problem! Ask an admin to create a custom field, associate it with a case template and there you go.

sc-mellifera12-#12-customfields2.png — Add a Custom Field

Unlike metrics, custom fields must not be filled to close a case. You can also supercharge a case with custom fields that have not been associated to a case template. We currently support four types of custom fields: strings, numbers, booleans and dates. And you can create lists of acceptable values to limit your analysts’ choices to legitimate data.

Other New Features

Mellifera 12 gives you the ability to reopen closed tasks. And when viewing the related cases tab of the current case, you’ll see the resolution status of the ones that were closed (false positive, true positive, indeterminate). External links will also be opened in a new tab. Moreover, files included in alerts are no longer limited to 32 KB so you have no longer an excuse to avoid sending user email reports with their attachments to TheHive 😉

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the migration guide.

Support

Mellifera 11.3 Released

A few days ago, we have been made aware of a bug in the way we pulled new or updated MISP events to inject them within Mellifera’s alerting panel. As a result, some events did not show up as intended. So you might have missed some of the action shared by peers and partners through MISP.

As true Frenchmen who care a lot about cuisine, TheHive Project’s Chefs went back to their code kitchen and figured out a more palatable recipe to make sure you won’t be left under the impression that you were seeing all new or updated MISP events while in fact you didn’t (we don’t want you to go too easy & lazy n’est-ce pas ?). Mellifera 11.3 (TheHive 2.11.3), a hotfix version has been released to that end and should fix the issue. Please note that you must use MISP 2.4.73 or better.

In addition, this new version of your favorite (or soon to be favorite) Security Incident Response Platform can be installed from a deb package on Ubuntu 16.04 without having to fiddle with OpenJDK. We have repackaged the software to avoid grabbing OpenJDK 9 (which TheHive does not support) and force the installation of version 8.

Finally, if an admin creates an empty case template, users can add tasks to it while previously this wasn’t possible.

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the new migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.

Support

Mellifera 2 Released: Make MISP Sync Great Again

The Chefs behind TheHive Project’s delicious code are happy to announce the availability of Mellifera 2 (TheHive v2.11.2), the scalable, free and open source Security Incident Response Platform. This minor version fixes two irking issues related to MISP and adds a few enhancements detailed below.

Fixed Issues

#220: alerts related to MISP events are not properly updated.
#221: in some edge cases, alerts related to MISP events are created with no attribute.

Enhancements

#188: display the case severity in the My tasks and the Waiting tasks pages to let analysts prioritize their work.
#218: show the description of an alert in the alerting panel.
#224: visually distinguish between analyzed and non-analyzed observables.

Download & Get Down to Work

If you have an existing TheHive installation, please follow the new migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.

Support

Correction: May 26, 2017

A copy/paste error from a previous blog post was fixed.

Mellifera 1: Bugfixes, Enhancements and Documentation

Last week, we have released Mellifera (TheHive 2.11.0), a major version of your favorite (or soon to be favorite) Security Incident Response Platform. Sadly, some annoying bugs have slipped past our QA (n’est-ce pas Thomas ?).

We are happy to announce the availability of Mellifera 1 (TheHive 2.11.1) which corrects those bugs and adds a few enhancements detailed below.

Issues Corrected

#204: update case templates created with previous versions of TheHive.
#205: remove duplicate tags associated to an observable present in two cases upon a case merging operation.
#206: apply case templates when an alert is converted into a case.

Enhancements

We also took the opportunity of this hotfix to add the following enhancements:

#180: merge duplicate tasks during a case merge operation. Starting from this release, if you have waiting tasks (i.e. not assigned) with the same name in cases you’d like to merge, the new merged case will have only one task instead of two.
#211: show the number of available analyzer reports for each observable. If an observable has not been analyzed yet, say so.

Documentation

Please note that we have moved all the documentation of TheHive in a new repository. If you are not using TheHive4py 1.2.0 (or future versions), you can send alerts to Mellifera using the API as documented.

Download & Get Down to Work

If you have an existing TheHive installation, please follow the new migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.

Support

Mellifera Is Here

TheHive Project French chefs are very excited to announce the immediate availability of Mellifera, TheHive 2.11.0, the greatest and latest iteration of our flagship product.

We are thrilled to share this major version with the incident response community, for free as usual. Yes, you read that sentence right. You don’t have to cough up a single € or BTC for a platform that is as good as some commercial alternatives, unless your boss is hassling you about paying big bucks to get so-called professional support. If that’s the case, try us and you might prove them wrong.

Going through all the features and fixes of this significant overhaul will take forever (well, almost) so let us highlight a few that we feel worthy of your attention and time.

The Alerting Framework

If you need one reason to upgrade from Buckfast to Mellifera or to ditch your existing, clunky incident handling platform and use ours, then that should be its brand-new and powerful alerting framework.

With Buckfast (TheHive 2.10.x) and earlier versions, you can configure multiple MISP instances. TheHive will then poll those instances at regular intervals and display new or updated events in a specific area where analysts can preview them, import them as cases using configurable templates or ignore them altogether (and if they do so by mistake, there’s no way to go back). And if you needed to raise alerts from a SIEM, email reports or other sources of noteworthy security events, you had to rely on TheHive4py API client and create a case without having a chance to preview the events in TheHive prior to the case creation.

Mellifera does not have these limitations. It features an all new, fancy and efficient alerting framework which can be displayed using the Alerts button in the Web interface. This button was previously called MISP.

Within the Alerts area, you can preview not only new or updated MISP events but also any event that you have pushed through TheHive4py. The client has been modified to be compatible with Mellifera. If you have an existing TheHive4py package, please upgrade to the new 1.2.0 version using PIP.

Using TheHive4py 1.2.0, you can send your SIEM alerts, user email reports and security events from various sources to Mellifera and your analysts will be able to preview and import them or simply ignore them. If they have ignored some events by mistake, they can use the quick actions on the top of the panel to retrieve them. Please note that you have to create programs that will bridge your event sources with Mellifera through TheHive4py.

All New Skin

Mellifera has an all new skin with many refinements spread all over the interface. For example, you can now easily reorder the tasks within a case template. You can also sort task logs according to their creation date (oldest first, newest first). The flow (a.k.a live stream) is also collapsible. Moreover, when you create a case, Mellifera will suggest existing tags.

Is MISP or Cortex There?

If you have configured Mellifera to interact with at least one MISP or Cortex instance, the Web interface will show their respective logos at the bottom of the page. Please note that you can now connect to MISP and Cortex even if you are behind a proxy which requires authentication.

New Installation Packages

Starting from this release, we no longer produce all-in-one binary packages and dockers containing TheHive and Cortex. Instead you can use dockers, binaries and RPM as well as DEB packages. Wink wink.

One More Thing

Mellifera has an all new logo and the project website has been completely redesigned. Now you can see who’s behind the project thanks to Alexandre Gohier, a close friend who also happens to be a professional photographer.

Download & Try

If you have an existing TheHive installation, please follow the new migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy!

Support

Buckfast 2 Release and Randorisec’s Pentest Report

Our good friends at Randorisec, joined by other pentesting professionals (see below), performed a fully fledged pentest of Buckfast 0 (TheHive 2.10.0) and Cortex 1.0.0 during 4 man-days spanning several weeks, starting from February 9, 2017 and ending on March 21, 2017.

They have identified several security issues detailed in their report which they privately shared with us prior to publication. As a result, we are happy to announce the immediate availability of Buckfast 2 (TheHive 2.10.2) which fixes the following vulnerabilities:

Stored XSS (ref. AP1 in the report) and Reflected XSS (AP2): malicious JavaScript code can be injected. It will be then executed on the victim’s browser. See issue #159 for more details.
Vertical privilege escalation (AP3): an authenticated simple user can have access to some admin menus. See issue #160 and issue #161.
CSRF (AP8): As no anti-CSRF tokens are used, TheHive is vulnerable to CSRF attacks. See issue #158.

Cortex 1.0.0 and 1.0.1 are also affected by AP2. A new Cortex version will be released very shortly to fix it.

Additionally, Buckfast 2 fixes the following bugs:

Issue #152: pagination does not work with 100 results per page.
Issue #169: error when importing some MISP events due to their unexpected JSON format. This has also been fixed in MISP v2.4.71.

We have also added the following features:

Issue #157: add persistence for task viewing options.
Issue #174: run all analyzers on multiple observables from the observables view.

Randorisec identified 4 more security issues rated low which aren’t fixed by this release:

Concurrent sessions allowed (AP4): we do not deem this a security vulnerability and hence we won’t fix it unless our user community request a patch.
No account lockout policy (AP5): if you use the local authentication system, it can be brute-forced. We are going to fix this in Mellifera 1 (TheHive 2.11.1) due at the end of May 2017. In the meantime, you can use LDAP, Active Directory or both and configure a password policy on those systems.
No password policy (AP6): as no password policy is enforced when using the local database for storing user credentials, users can set weak passwords (e.g.: containing only one character). We are going to fix this in Mellifera 1 (TheHive 2.11.1) due at the end of May 2017. In the meantime, you can use LDAP, Active Directory or both and configure a password policy on those systems.
Information leakage (AP7): information such as installed software versions (TheHive, ElasticSearch) is publicly available. TheHive should be not be publicly accessible and access should be filtered by a firewall or a similar device for authorized IP addresses only.

If you are running Buckfast 1 or a previous version, please follow the updating instructions to update to Buckfast 2. It is actually an extremely simple operation. If you are doing a fresh installation, we have you covered as well.

Should you encounter any difficulties, please do not hesitate to read the FAQ, ask questions on the user forum or on Gitter, or contact us directly at support@thehive-project.org.

Please note that Randorisec and the pentesting professionals that joined it for this pentest have no contract with TheHive Project and did not receive any compensation of any sort to perform this work. They worked on their free time as a way to contribute to the security of Free, Open Source Software projects. We’d like to wholeheartedly thank Davy Douhine, Randorisec’s CEO, ArtsSEC, Frédéric Cikala, Nicolas Mattiocco, Florent Montel and Mohamed Mrabah for their invaluable contribution.

Correction: April 21, 2017
An earlier version of this article mentioned Maximilano Soler among the professionals who joined Randorisec to perform a pentest on our products. At his request, we have removed his name and replaced it by ArtsSEC.