Vulnerability and zero-day exploit targeting vBulletin forum software

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

3:35pm, 26 September 2019

TLP Rating: Clear

Vulnerability and zero-day exploit targeting vBulletin forum software

CERT NZ is aware of a critical vulnerability in the forums software vBulletin Connect. The vulnerability, CVE-2019-16759, is remotely exploitable without authentication. Researchers have released a proof of concept exploit.

vBulletin has released security patches to mitigate this vulnerability. CERT NZ recommends patching installations, and inspecting servers for signs of compromise.

What's happening

Systems affected

An exploit has been released publicly for a pre-authentication remote code vulnerability in the popular forum software vBulletin Connect.

vBulletin has released a patch to mitigate this issue.

What this means

vBulletin Connect is vulnerable to a command injection vulnerability in the ajax/render/widget_php routestring request. This request is available pre-authentication and would allow an attacker to run shell commands at the privilege level of the vBulletin server.

CERT NZ has no current reports of exploitation, however the released proof of concept makes it trivial to begin exploiting this vulnerability publicly.

 Such an exploit would likely be used for the purpose of exfiltrating user data, adding servers to a botnet, or running cryptomining software.

What to look for

How to tell if you're at risk

You are affected by this vulnerability if you run vBulletin Connect between version 5.0.0 and 5.5.4 inclusive, and have not applied the security patches:

  • 5.4 Patch Level 1
  • 5.3 Patch Level 1
  • 5.2 Patch Level 1

What to do

Prevention

Make sure you’re using a supported vBulletin server and immediately apply the patches released by vBulletin.

In addition to patching, CERT NZ recommends you take additional measures, including:

  • planning for out-of-cycle patches
  • engaging with vBulletin about upcoming patches
  • monitoring effectiveness of patches and future bypasses
  • implementing defence-in-depth processes such as web app firewalls, and any other controls relevant to your network.

Mitigation

Implement the patches released by vBulletin immediately.

If you are running an unsupported version, vBulletin recommends upgrading to a supported version as soon as possible.

Operating system controls such as SELinux or Apparmor could be used to mitigate the impact of an attack. When correctly implemented, these controls limit the resources that the affected process has access to.

vBulletin’s advisory for the CVE-2019-16759 vulnerability External Link

More information

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384