An exploit has been released publicly for a pre-authentication remote code vulnerability in the popular forum software vBulletin Connect.
vBulletin has released a patch to mitigate this issue.
What this means
vBulletin Connect is vulnerable to a command injection vulnerability in the ajax/render/widget_php routestring request. This request is available pre-authentication and would allow an attacker to run shell commands at the privilege level of the vBulletin server.
CERT NZ has no current reports of exploitation, however the released proof of concept makes it trivial to begin exploiting this vulnerability publicly.
Such an exploit would likely be used for the purpose of exfiltrating user data, adding servers to a botnet, or running cryptomining software.
What to look for
How to tell if you're at risk
You are affected by this vulnerability if you run vBulletin Connect between version 5.0.0 and 5.5.4 inclusive, and have not applied the security patches:
- 5.4 Patch Level 1
- 5.3 Patch Level 1
- 5.2 Patch Level 1
What to do
Make sure you’re using a supported vBulletin server and immediately apply the patches released by vBulletin.
In addition to patching, CERT NZ recommends you take additional measures, including:
- planning for out-of-cycle patches
- engaging with vBulletin about upcoming patches
- monitoring effectiveness of patches and future bypasses
- implementing defence-in-depth processes such as web app firewalls, and any other controls relevant to your network.
Implement the patches released by vBulletin immediately.
If you are running an unsupported version, vBulletin recommends upgrading to a supported version as soon as possible.
Operating system controls such as SELinux or Apparmor could be used to mitigate the impact of an attack. When correctly implemented, these controls limit the resources that the affected process has access to.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.