It has been reported that an anonymous bug hunter has publicly disclosed a zero-day flaw in the version 5 of the popular vBulletin forum software than can be exploited over the internet to hijack servers. No patch is known to be available.The zero-day allows an attacker to execute shell commands on the server running a vBulletin installation. The attacker doesn’t need to have an account on the targeted forum.
lol vBulletin 5.x RCE 0day. Tested and works. https://t.co/NWH0AXIDD9 pic.twitter.com/fgwe7fZ3by
— uɐpʇou@ ✸ (@notdan) September 24, 2019
Having looked into this a little, it looks like the Version 5 of vBulletin that has this issue is only in use by 6.4% of users so this risk is mitigated by… well… being out of date. That does not mean these sites are safe, as there is a plethora of other vulnerabilities out there that affect versions below 5.0.
Admins and site owners using vBulletin should check what version they\’re running and, if using Version 5, update it as soon as they can or this trivial issue could cause some major problems.
This critical RCE vulnerability is surprisingly simple to exploit, and sadly very few web application firewalls (WAF) will block its exploitation. These days security flaws exploitable in a default configuration and without authentication are very rare in such well-establish web software. We should expect a tornado of automated hacking and web server backdooring campaigns to start now.
Website owners running the vulnerable versions should urgently shut down their vBulletin forums completely while the vendor is working on an emergency patch.
The motives of spontaneous disclosure remain unclear, such a vulnerability can worth quite a lot on the Black Market given the important number of high-profile targets using this forum. It can be a junior security enthusiast showcasing his/her skills for fun, as well as a professional cyber gang distracting everyone’s attention from something else.
Given that this vBulletin flaw offers remote code execution, and that it can be paired with the ability to leverage Shodan [the internet search tool] to find potential targets, makes it critically important that security professionals take action.
With just a few taps of the keyboard, anyone could take a small piece of code, gather the IP addresses of 1000s of vulnerable systems, and automatically exploit them.
Pair that with the fact that, post-exploitation, you can run any command against the compromised device and we could easily see mass attacks on sites running this ubiquitous news forum software.
Organisations and hobbyists should drop everything to verify what version of vBulletin they are running and if affected, and until a patch is available, I would take the unprecedented move to take the system offline. It really is that bad.