vBulletin zero-day exploited in the wild in wake of exploit release

An anonymous bug hunter has released a working and elegantly simple exploit for a pre-authentication remote code execution flaw (CVE-2019-16759) affecting vBulletin and it didn’t take long for attackers to start using it.

About vBulletin

vBulletin is the most popular internet forum software in use today.

W3Techs says that around 0.1% of all internet sites run a vBulletin forum, though only 6.4% of these use vulnerable 5.x versions.

MH Sub I, the company that develops vBulletin, claims that there are over 100,000 sites built on the forum software. Among its customers are EA, Sony Pictures, Steam, NASA, Zynga, and many others.

Many dark web forums that serve as markets for illicit services are also based on vBulletin.

About the vulnerability (CVE-2019-16759)

CVE-2019-16759 affects vBulletin versions 5.0.0 to 5.5.4. The release of the exploit has apparently caught the company developing the software unawares: they have yet to comment the situation or push out a fix.

The flaw allows unauthenticated, remote attackers to send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands.

“These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host,” Tenable researcher Ryan Seguin noted.

Though the vBulletin team has still not acknowledged the existence of the vulnerability, the effectiveness of the exploit has been confirmed by many security researchers.

Some members of vBulletin’s own online forums have called on the team to release an out-of-band patch as soon as possible, and warned about ongoing attacks exploiting the flaw.

According to one of the users, attackers are trying to install PHP web-shells on the vulnerable hosts (servers).

What to do?

While users are waiting for an official patch and/or mitigation advice from the vBulletin team, they can try implementing a tentative patch provided by Nick Cano, Senior Architect at Cylance, with the caveat that it might break some functionality.

Alternatively, they could temporarily take down their forums or mitigate exploitation risk by putting them behind a web application firewall.

UPDATE (October 1, 2019, 5:40 a.m. PT): Attackers have exploited CVE-2019-16759 to access to the user database of some Comodo’s online forums.

Don't miss