vBulletin < 5.6.2 Patch Level 1 Remote Code Execution Vulnerability

critical Web App Scanning Plugin ID 98764

Language:

Synopsis

vBulletin < 5.6.2 Patch Level 1 Remote Code Execution Vulnerability

Description

The instance of vBulletin running on the remote host is affected by a command execution vulnerability. A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to execute commands on the remote host. All versions of vBulletin prior to the 5.6.x branch are considered vulnerable.

Solution

Update to vBulletin 5.6.0 Patch Level 1, 5.6.1 Patch Level 1 or 5.6.2 Patch Level 1 according to vBulletin version used.

See Also

https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/

https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4422707-vbulletin-security-patch-released-versions-5-5-2-5-5-3-and-5-5-4

https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423646-vbulletin-5-5-x-5-5-2-5-5-3-and-5-5-4-security-patch-level-2

https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch

https://seclists.org/fulldisclosure/2019/Sep/31

Plugin Details

Severity: Critical

ID: 98764

Type: remote

Family: Component Vulnerability

Published: 10/17/2019

Updated: 9/7/2021

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-16759

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2019-16759

Vulnerability Information

CPE: cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/16/2020

Vulnerability Publication Date: 9/24/2019

CISA Known Exploited Vulnerability Due Dates: 5/3/2022

Reference Information

CVE: CVE-2019-16759, CVE-2020-17496

CWE: 20, 74, 94

OWASP: 2010-A1, 2010-A4, 2013-A1, 2013-A4, 2013-A9, 2017-A1, 2017-A5, 2017-A9, 2021-A3, 2021-A6

WASC: Improper Input Handling, OS Commanding

CAPEC: 10, 101, 104, 108, 109, 110, 120, 13, 135, 136, 14, 153, 182, 209, 22, 23, 230, 231, 24, 242, 250, 261, 267, 273, 28, 3, 31, 34, 35, 42, 43, 45, 46, 47, 473, 51, 52, 53, 588, 6, 63, 64, 67, 7, 71, 72, 73, 76, 77, 78, 79, 8, 80, 81, 83, 84, 85, 88, 9

DISA STIG: APSC-DV-002510, APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2019-API8, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.1.3, 4.0.2-5.2.5

PCI-DSS: 3.2-6.2, 3.2-6.5, 3.2-6.5.1