vBulletin 的 5.x 版本公布了嚴重的零時差預先授權遠端代碼執行弱點利用
New critical zero-day pre-auth RCE exploit code published on Full Disclosure mailing list for 5.x versions of vBulletin (CVE-2019-16759).
UPDATE 09/25/2019: The background and solution sections below have been updated to reflect the security patch issued by the vBulletin team.
A preauthentication remote code execution (RCE) zero-day exploit was recently disclosed anonymously for vBulletin 5.x. This zero-day does not seem to have followed coordinated disclosure procedures. VBulletin released a new security patch for vBulletin versions 5.5.2, 5.5.3, and 5.5.4.
Tenable Research has analyzed and confirmed that this exploit works on default configurations of vBulletin. Based on the public PoC, an unauthenticated attacker can send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host.
The published exploit code returns its successful execution in a JSON formatted response.
The vBulletin team has issued a patch for CVE-2019-16759 for vBulletin versions 5.5.2, 5.5.3, and 5.5.4. Users on earlier versions of vBulletin 5.x will need to update to one of the currently supported versions in order to apply the patch. VBulletin cloud users don’t need to perform any additional actions as the fix has already been applied to the cloud version.
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
加入 Tenable Community 的 Tenable 安全回應團隊。
深入瞭解 Tenable，這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。
Get a free 60-day trial of Tenable.io Vulnerability Management.
輸入您的電子郵件地址，以便收到最新 cyber exposure 警示。