{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-045.pdf"
    },
    "title": "TheHive and Cortex Active Directory Authentication Bypass",
    "serial_number": "2022-045",
    "publish_date": "22-06-2022 16:03:00",
    "description": "On 22nd of June 2022 StrangeBee published an advisory about a critical vulnerability in the Active Directory (AD) authentication module of TheHive.<br>The vulnerability allows impersonating any account on the platform, including administrators. The exploit is possible if the configured AD is on-premise. If the Active Directory authentication module is not enabled nor configured, or if Azure AD is used, the system is not vulnerable.",
    "url_title": "2022-045",
    "content_markdown": "---\ntitle: 'TheHive and Cortex Active\u00a0Directory\u00a0Authentication\u00a0Bypass'\nversion: '1.0'\nnumber: '2022-045'\noriginal_date: 'June 22, 2022'\ndate: 'June 22, 2022'\n---\n\n_History:_\n\n* _22/06/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn 22nd of June 2022 StrangeBee published an advisory about a critical vulnerability in the Active Directory (AD) authentication module of TheHive. \n\nThe vulnerability allows impersonating any account on the platform, including administrators. The exploit is possible if the configured AD is on-premise. If the Active Directory authentication module is not enabled nor configured, or if Azure AD is used, the system is not vulnerable.\n\n# Technical Details\n\nTheHive and Cortex products have an authentication vulnerability when the Active Directory module is enabled and used to authenticate users on the platform. \n\nIf an authentication request is sent with an existing account without a password through TheHive API, then AD response to the request is _Success_ and TheHive accepts the user authentication. This vulnerability also exists in Cortex, the exploitation process is similar and leads to same consequences.\n\n# Affected Products\n\nBelow are the supported versions of the vulnerable products\n\n- TheHive 5.0.7 and earlier\n- TheHive 4.1.20 and earlier\n- Cortex 3.1.4 and earlier\n\nAlso, unsupported version (EOL since end of 2021) of TheHive 3 is also vulnerable. An exeptional update release is available for the porduct [1].\n\n# Recommendations\n\nCERT-EU strongly recommends to update to the latest version available as soon as possible. Details of the patched versions can be found in [1].\n\n## Mitigations\n\nIn case the update is not possible,  disabling the Active Directory authentication module prevents the vulnerability exploitation.\n\n# References\n\n[1] <https://github.com/StrangeBeeCorp/Security/blob/main/Security%20advisories/SB-SEC-ADV-2022-001:%20Authentication%20bypass%20due%20to%20incomplete%20checks%20in%20the%20Active%20Directory%20authentication%20module.md>\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>22/06/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 22nd of June 2022 StrangeBee published an advisory about a critical vulnerability in the Active Directory (AD) authentication module of TheHive. </p><p>The vulnerability allows impersonating any account on the platform, including administrators. The exploit is possible if the configured AD is on-premise. If the Active Directory authentication module is not enabled nor configured, or if Azure AD is used, the system is not vulnerable.</p><h2 id=\"technical-details\">Technical Details</h2><p>TheHive and Cortex products have an authentication vulnerability when the Active Directory module is enabled and used to authenticate users on the platform. </p><p>If an authentication request is sent with an existing account without a password through TheHive API, then AD response to the request is <em>Success</em> and TheHive accepts the user authentication. This vulnerability also exists in Cortex, the exploitation process is similar and leads to same consequences.</p><h2 id=\"affected-products\">Affected Products</h2><p>Below are the supported versions of the vulnerable products</p><ul><li>TheHive 5.0.7 and earlier</li><li>TheHive 4.1.20 and earlier</li><li>Cortex 3.1.4 and earlier</li></ul><p>Also, unsupported version (EOL since end of 2021) of TheHive 3 is also vulnerable. An exeptional update release is available for the porduct [1].</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends to update to the latest version available as soon as possible. Details of the patched versions can be found in [1].</p><h3 id=\"mitigations\">Mitigations</h3><p>In case the update is not possible, disabling the Active Directory authentication module prevents the vulnerability exploitation.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/StrangeBeeCorp/Security/blob/main/Security%20advisories/SB-SEC-ADV-2022-001:%20Authentication%20bypass%20due%20to%20incomplete%20checks%20in%20the%20Active%20Directory%20authentication%20module.md\">https://github.com/StrangeBeeCorp/Security/blob/main/Security%20advisories/SB-SEC-ADV-2022-001:%20Authentication%20bypass%20due%20to%20incomplete%20checks%20in%20the%20Active%20Directory%20authentication%20module.md</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}