Exploit crítico de día cero de ejecución remota de código sin preautenticación publicado para las versiones 5.x de vBulletin
New critical zero-day pre-auth RCE exploit code published on Full Disclosure mailing list for 5.x versions of vBulletin (CVE-2019-16759).
UPDATE 09/25/2019: The background and solution sections below have been updated to reflect the security patch issued by the vBulletin team.
Antecedentes
A preauthentication remote code execution (RCE) zero-day exploit was recently disclosed anonymously for vBulletin 5.x. This zero-day does not seem to have followed coordinated disclosure procedures. VBulletin released a new security patch for vBulletin versions 5.5.2, 5.5.3, and 5.5.4.
Análisis
Tenable Research has analyzed and confirmed that this exploit works on default configurations of vBulletin. Based on the public PoC, an unauthenticated attacker can send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host.
Prueba de concepto
The published exploit code returns its successful execution in a JSON formatted response.
Solución
The vBulletin team has issued a patch for CVE-2019-16759 for vBulletin versions 5.5.2, 5.5.3, and 5.5.4. Users on earlier versions of vBulletin 5.x will need to update to one of the currently supported versions in order to apply the patch. VBulletin cloud users don’t need to perform any additional actions as the fix has already been applied to the cloud version.
Identificación de los sistemas afectados
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Obtenga más información
Únase al Equipo de respuesta de seguridad de Tenable en Tenable Community.
Obtenga más información sobre Tenable, la primera plataforma de Cyber Exposure para el control integral de la superficie de ataque moderna.
Get a free 60-day trial of Tenable.io Vulnerability Management.
Artículos relacionados
Cybersecurity Snapshot: Guide Unpacks Event-Logging Best Practices, as FAA Proposes Stronger Cyber Rules for Airplanes
August 23, 2024Looking to sharpen your team’s event logging and threat detection? A new guide offers plenty of best practices. Plus, the FAA wants airplanes to be more resilient to cyberattacks. Meanwhile, check out the critical vulnerabilities Tenable discovered in two Microsoft AI products. And get the latest on ransomware trends, vulnerability management practices and election security!
Detecting Risky Third-party Drivers on Windows Assets
August 7, 2024Kernel-mode drivers are critical yet risky components of the Windows operating system. Learn about their functionality, the dangers they pose, and how Tenable's new plugins can help identify and mitigate vulnerabilities using community-driven resources like LOLDrivers.
Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach
August 6, 2024As AI transforms industries, security remains critical. Discover the importance of a security-first approach in AI development, the risks of open-source tools, and how Tenable's solutions can help protect your systems.
Securing Financial Data in the Cloud: How Tenable Can Help
November 4, 2024Preventing data loss, complying with regulations, automating workflows and managing access are four key challenges facing financial institutions. Learn how Tenable can help.
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning