MISP Authentication Bypass Vulnerability in LDAP Mixed Authentication with OTP Enforcement

An authentication bypass vulnerability has been identified in MISP when LDAP mixed authentication is enabled alongside mandatory OTP (One-Time Password) requirements. In this configuration, users authenticated through an LDAP plugin can bypass the OTP challenge by accessing application URLs directly after logging in, instead of completing the OTP verification. This vulnerability allows access to the application as the authenticated user without providing a valid OTP code. The issue arises because the OTP requirement is not enforced until after the user session is established, creating a window for exploitation.

Impact

Exploitation of this vulnerability allows users to bypass OTP requirements, potentially leading to unauthorized access to the application as an authenticated user.

Reproduction

To reproduce this vulnerability, enable LDAP mixed authentication and require OTP in the MISP application. Authenticate a user through the LDAP plugin, which will establish a session before the OTP challenge is enforced. Once logged in, access another application URL directly, bypassing the OTP verification page.

Remediation

Users can update to the latest version of MISP, where this vulnerability has been addressed. Instructions for updating MISP are available in the MISP documentation.