We urge our fellow fighters of cybercrime and funny and not-so-funny animals-in-disguise, to update their Cortex analyzers to the latest 1.15.2 version which plugs a serious vulnerability in the Unshortenlink analyzer and fixes several bugs.
On Jan 24, Alexandre Basquin discovered a SSRF vulnerability in the Unshortenlink 1.0 analyzer. By exploiting it, an attacker which has access to a Cortex instance with an
analyze role can scan the ports of localhost and possibly of all the hosts reachable by Cortex. This could be automated through Cortex4py by making repetitive calls to the API and thus scanning multiple ports & hosts. In essence, the attacker can perform reconnaissance thanks to Unshortenlink and gain knowledge on which ports are open and which aren’t.
Version 1.1 of Unshortenlink, included in Cortex-Analyzers 1.15.2, plugs this vulnerability by disabling submissions containing IPs & ports. Only URLs are now accepted.
Additionally, Cortex-Analyzers 1.15.2 corrects the following bugs:
- #416: the Mailer responder now supports UTF-8 encoding.
- #410: remove wrapping of the results produced by crt.sh as a list which ends up breaking the output of the report template. Contributed by Thomas Kastner.
enumis not required for Python 3.4+ to make the MISP Search analyzer work.
- #408: FileInfo’s Manalyze plugin did not work after Manalyze renamed
- #406: fix a broken link in the Cymon_Check_IP report, submitted by Manabu Niseki.
- #313: fix wrong file handling in OTXQuery.
How to Update your Analyzers?
To update your analyzers to version 1.15.2, please read the Updating section of the Cortex installation guide.
Since the version numbers of few analyzers have changed, you’ll need to connect as an
orgadmin to Cortex to refresh the analyzer list, disabling old ones and enabling the new versions.
TheHive Report Templates
If you are using TheHive, you must import the new report templates in your instance as follows:
- download the updated package
- log in TheHive using an administrator account
- go to
- click on
Import templatesbutton and select the downloaded package
Wait a Minute! Where’s the Blog Post about 1.15.1?
Good catch! There was no blog post about Cortex-Analyzers 1.15.1. Call us lazy but there was nothing Earth-shattering, pole-shifting in that release. Nonetheless, here are a list of fixes included in that release and from which you’ll inherit automatically if you update 1.15.0 to 1.15.2 directly:
- #402: Malwares analyzer code relied on functionality that’s only available in Python 3.7+. It has been fixed to work with 3.4 and up thanks to the work of Arcuri Davide.
- #404: fixes a bad folder renaming in the HIBP (Have I Been Pwned) analyzer.
- #398: MISP Search analyzer wouldn’t run without the
enumdependency. Contributed by Mars Huang. Later improved in 1.15.2 (see above).