Alert Logic® is actively researching an unauthenticated remote code execution vulnerability that has been discovered in vBulletin – CVE-2019-16759. This vector allows attackers to remotely control victim hosts and execute code, install persistence, and laterally move throughout the network. Exploit code has been released into the public domain, and we have observed active attacks against our customers using this vulnerability.
Customers running versions up to and including 5.5.4 of vBulletin may be affected by this vulnerability. vBulletin has released a patch to mitigate the attack. For more information, refer to the Recommendations for Mitigation section in this article.
This article will be updated with new information as Alert Logic continues to investigate this vulnerability. To be alerted to updates about this vulnerability, sign in to the Support Center with your Alert Logic product credentials and click FOLLOW at the top of this article. As updates are made to the article with new information about Alert Logic coverage and mitigation recommendations, you will be alerted by email.
Vulnerability Description
CVE-2019-16759 allows unauthenticated, remote attackers to send specifically crafted HTTP POST requests to vulnerable vBulletin hosts and execute commands. This exploit has been confirmed by many security researchers and is actively being exploited by attackers.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has developed vulnerability scan coverage to identify vulnerable assets.
Network IDS: Alert Logic has developed specific IDS signatures to enable for efficient monitoring by the Alert Logic Security Operations Center.
Web Application: Alert Logic web application coverage will detect attacks targeted at exploiting CVE-2019-16759. If the Alert Logic inline web application firewall is in Protect mode, it will also block these attacks.
Log Management: At this time, it is not expected that log detection is appropriate for this threat; however, Alert Logic will continue this assessment.
Recommendations for Mitigation
CVE-2019-16759 may affect vBulletin versions up to and including 5.5.4. vBulletin has released a patch for CVE-2019-16759 for versions 5.5.2, 5.5.3, and 5.5.4. To download and learn more about the patch, refer to vBulletin's patch announcement. If you are using a version of vBulletin 5 Connect prior to 5.5.2, vBulletin recommends that you upgrade as soon as possible to mitigate this vulnerability.
Updates
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of the article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
09/25/19: Alert Logic has released specific IDS signatures to enable for efficient monitoring by the Alert Logic Security Operations Center.
09/25/19: vBulletin has released a patch for CVE-2019-16759 for versions 5.5.2, 5.5.3, and 5.5.4. To download and learn more about the patch, refer to vBulletin's patch announcement. If you are using a version of vBulletin 5 Connect prior to 5.5.2, vBulletin recommends that you upgrade as soon as possible to mitigate this vulnerability.
09/25/19: Vulnerability scan coverage is now available to identify vulnerable assets.
Comments
2 comments
On September 25, 2019, Alert Logic released specific IDS signatures to enable for more efficient monitoring of CVE-2019-16759 by the Alert Logic Security Operations Center.
Also on September 25, vBulletin released a patch for versions 5.5.2, 5.5.3, and 5.5.4. To download and learn more about the patch, refer to vBulletin's patch announcement. If you are using a version of vBulletin 5 Connect prior to 5.5.2, vBulletin recommends that you upgrade as soon as possible to mitigate this vulnerability.
Vulnerability scan coverage was released on September 25, 2019, to identify vulnerable assets.
Please sign in to leave a comment.