Vulnerability and zero-day exploit targeting vBulletin forum software

An exploit has been released publicly for a pre-authentication remote code vulnerability in the popular forum software vBulletin Connect.

vBulletin has released a patch to mitigate this issue.

vBulletin Connect is vulnerable to a command injection vulnerability in the ajax/render/widget_php routestring request. This request is available pre-authentication and would allow an attacker to run shell commands at the privilege level of the vBulletin server.

CERT NZ has no current reports of exploitation, however the released proof of concept makes it trivial to begin exploiting this vulnerability publicly.

 Such an exploit would likely be used for the purpose of exfiltrating user data, adding servers to a botnet, or running cryptomining software.

You are affected by this vulnerability if you run vBulletin Connect between version 5.0.0 and 5.5.4 inclusive, and have not applied the security patches:

• 5.4 Patch Level 1
• 5.3 Patch Level 1
• 5.2 Patch Level 1

Make sure you’re using a supported vBulletin server and immediately apply the patches released by vBulletin.

In addition to patching, CERT NZ recommends you take additional measures, including:

• planning for out-of-cycle patches
• engaging with vBulletin about upcoming patches
• monitoring effectiveness of patches and future bypasses
• implementing defence-in-depth processes such as web app firewalls, and any other controls relevant to your network.

Implement the patches released by vBulletin immediately.

If you are running an unsupported version, vBulletin recommends upgrading to a supported version as soon as possible.

Operating system controls such as SELinux or Apparmor could be used to mitigate the impact of an attack. When correctly implemented, these controls limit the resources that the affected process has access to.

vBulletin’s advisory for the CVE-2019-16759 vulnerability External Link