--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'TheHive and Cortex Active Directory Authentication Bypass' version: '1.0' number: '2022-045' original_date: 'June 22, 2022' date: 'June 22, 2022' --- _History:_ * _22/06/2022 --- v1.0 -- Initial publication_ # Summary On 22nd of June 2022 StrangeBee published an advisory about a critical vulnerability in the Active Directory (AD) authentication module of TheHive. The vulnerability allows impersonating any account on the platform, including administrators. The exploit is possible if the configured AD is on-premise. If the Active Directory authentication module is not enabled nor configured, or if Azure AD is used, the system is not vulnerable. # Technical Details TheHive and Cortex products have an authentication vulnerability when the Active Directory module is enabled and used to authenticate users on the platform. If an authentication request is sent with an existing account without a password through TheHive API, then AD response to the request is _Success_ and TheHive accepts the user authentication. This vulnerability also exists in Cortex, the exploitation process is similar and leads to same consequences. # Affected Products Below are the supported versions of the vulnerable products - TheHive 5.0.7 and earlier - TheHive 4.1.20 and earlier - Cortex 3.1.4 and earlier Also, unsupported version (EOL since end of 2021) of TheHive 3 is also vulnerable. An exeptional update release is available for the porduct [1]. # Recommendations CERT-EU strongly recommends to update to the latest version available as soon as possible. Details of the patched versions can be found in [1]. ## Mitigations In case the update is not possible, disabling the Active Directory authentication module prevents the vulnerability exploitation. # References [1]