Joomla-Sicherheitslücke - Critical 0-day Remote Command Execution Vulnerability in Joomla

Neue Joomla-Sicherheitslücke -> Dringendes Update security alert
security alert

Siehe Joomla Security:

"The Joomla security team have just released a new version of Joomla to patch a critical remote command execution vulnerability that affects all versions from 1.5 to 3.4.

This is a serious vulnerability that can be easily exploited and is already in the wild. If you are using Joomla, you have to update it right now.

Remote Code Execution
There is a security issue in Joomla! from Joomla 1.5 up until 3.4.5 related to remote code execution. This was followed up with some longer term fixes in Joomla 3.4.7

If you are using the old (unsupported) versions 1.5.x and 2.5.x, you have to apply the hotfixes from here (https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions).

Zero day Exploits in the Wild

What is very concerning is that this vulnerability is already being exploited in the wild and has been for the last 2 days. Repeat: This has been in the wild as a 0-day for 2 days before there was a patch available.

Looking back at our logs, we detected the first exploit targeting this vulnerability:

2015 Dec 12 16:49:07 clienyhidden.access.log
Src IP: 74.3.170.33 / CAN / Alberta
74.3.170.33 – – [12/Dec/2015:16:49:40 -0500] “GET /contact/ HTTP/1.1” 403 5322 “http://google.com/” “}__test|O:21:\x22JDatabaseDriverMysqli\x22:3: ..
{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0: .. {}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:..
{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:..

and:

access.log:52.32.210.122 - - [01/Feb/2016:11:09:12 +0100] "GET / HTTP/1.1" 200 7348 "-" "}__test|O:21:\"JDatabaseDriverMysqli\":3:
{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:
{}s:8:\"feed_url\";s:3854:\"eval(base64_decode('JGNoZWNrID0gJF9TRVJWRV…..gkZnApOw=='));JFactory::getConfig();exit\";s:19:\
"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:
{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}\xf0\xfd\xfd\xfd"


We modified the payload so it can’t be misused, but the attackers are doing an object injection via the HTTP user agent that leads to a full remote command execution.

The wave of attacks is even bigger, with basically every site and honeypot we have being attacked. That means that probably every other Joomla site out there is being targeted as well.

Protect Your Site Now

If you are a Joomla user, check your logs right away. Look for requests from 146.0.72.83 or 74.3.170.33 or 194.28.174.106 as they were the first IP addresses to start the exploitation. I also recommend searching your logs for “JDatabaseDriverMysqli” or “O:” in the User Agent as it has been used in the exploits. If you find them, consider your Joomla site compromised and move to the remediation / incident response phase.

Note that clients behind our Website Firewall were already protected against this threat and are safe. Yes, our virtual patching for the HTTP User Agent kept ours users protected against this exploit.

If you use Joomla, update ASAP!

For those on the 3.x branch, update immediately to 3.4.6.

If you need help - call us: +49 89 130 133 60



 

Die neusten Sicherheits-Updates

Hier finden Sie die aktuellen Sicherheits-Updates für die gängigsten Programme. Die Update-Tabelle wird regelmäßig aktualisiert und bei Bedarf erweitert.

Online Kriminelle nutzen Sicherheitslücken in beliebten Programmen aus, um auf diese Weise Evilware, Junkware oder Malware aller Art einzuschleusen. Die Hersteller stellen Sicherheits-Updates bereit, um bekannt gewordene Lücken zu schließen. 

Überprüfen Sie daher regelmäßig, ob Ihre installierten Programme auf dem neuesten Stand sind. Die folgende Tabelle führt die jeweils neuesten Versionen derjenigen Programme auf, für die in letzter Zeit Sicherheits-Updates erschienen sind - auf Unix haben Sie die Möglichkeit dieses mit dem Tool rkhunter (Scanning for Rootkits with rkhunter) aufzuspüren. LINK: http://rkhunter.sourceforge.net

 Auszug der Wichtigsten - Stand 02.12.2015 

Software

Version

Datum

Risikostufe

Download

Adobe AIR

19.0.0.241

10.11.2015

hoch

ADOBE

Adobe Acrobat Reader DC

2015.009.20069

13.10.2015

hoch

ADOBE

Chrome

47.0.2526.73

01.12.2015

hoch

Google

FileZilla

3.14.1

16.09.2015

niedrig

filezilla-project

Firefox

42.0

03.11.2015

hoch

mozilla

Flash Player

19.0.0.245

10.11.2015

hoch

ADOBE

Foxit Reader

7.2.8.1124

27.11.2015

kein

foxitsoftware

Fritz!OS

6.30

14.07.2015

kein

AVM

Fritzbox-Firmware

je nach Modell

01.02.2014

kritisch

AVM

Internet Explorer

Patch Day  November 2015

10.11.2015

hoch

Microsoft

IrfanView

4.40

31.07.2015

kein

irfanview.com

iTunes

12.3

16.09.2015

hoch

Apple

Java 8 Runtime (JRE)

Java 8 Update 65 (1.8.0_65)

20.10.2015

hoch

ORACLE

LibreOffice

5.0.3

03.11.2015

k.A.

libreoffice.org

Microsoft Office

Patch Day  November 2015

10.11.2015

hoch

Microsoft

Open Office

4.1.2

28.10.2015

hoch

openoffice.org

Opera

33.0.1990.115

17.11.2015

kein

opera.com

Pegasus Mail

4.70

08.03.2014

niedrig

pmail.com

PHP

5.6.16

26.11.2015

kein

PHP.net

Pidgin IM

2.10.11

23.11.2014

niedrig

pidgin.im

Quicktime Player

7.7.8

20.08.2015

hoch

Apple

RealTimes (RealPlayer)

18.1.2.175

16.11.2015

kein

RealTimes

Seamonkey

2.39

09.11.2015

hoch

SeaMonkey

Shockwave Player

12.2.2.172

24.11.2015

kein

ADOBE

Thunderbird

38.4.0

25.11.2015

k.A.

Mozilla

Trillian IM

5.6.0.5

26.05.2015

kein

Trillian.im

VLC Media Player

2.2.2

06.02.2016

hoch

videolan.org

VMware Workstation Player

12.0.1

29.10.2015

kein

VMWare

Windows

Patch Day  November 2015

10.11.2015

hoch

Microsoft

WinSCP

5.7.6

04.11.2015

niedrig

WinSCP

Wireshark

2.0.0

19.11.2015

kein

Wireshark

Xnview

2.34

10.09.2015

kein

Xnview

 

 

Warning: Fake e-mails with malware

Currently fake e-mails are sent, which animate the domain owner to download a program file. This program file contains a malware that installs itself on the local pc. Please inform your customers that they should never click this link.

The data used in these emails originate from the public WHOIS databanks of the registries and registrars. Even though in most cases these databanks have access restrictions, these restrictions are avoided by numerous queries from different networks.

===============8<===============
Subject:  Domain Name [domain name] have been suspended
Date:  [date and time]
From:  [name of registrar]
To:  [recipient email]

Dear [name of registrant/holder],

The Domain Name [domain name] have been suspended for violation
of the [name of registrar] Abuse Policy.

Multiple warnings were sent by [name of registrar] Spam and Abuse
Department to give you an opportunity to address the complaints we have
received.

We did not receive a reply from you to these email warnings so we then
attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not
respond to our attempts to contact you.

Click here and download
<http://[malware url]/abuse.php?[domain name]>a copy of
complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,

[name of registrar]

Spam and Abuse Department
===============8<===============

ICANN Whois Accuracy Program

This specification was introduced with the RAA 2013 and is to make the WHOIS data more reliable globally. For this, ICANN requires that all certified registrars review the email address of the domain holders after registration, transfer or data change. If the domain holder does not comply with such review request within 15 days, the domain must be switched off.

Existing domains and their handles are NOT affected. These are considered to be already "validated". We start the program on 2015-11-05 for domains under the nTLDs. For all remaining domains under the old gTLDs we start on 2015-12-01 with the validation.

The following actions at a domain will cause start of validation:

- Registration
- Transfer
- Change of owner data

But only if

- The owner handle (Owner-C) used has not been validated yet

The process is competed/interrupted if

- a new owner handle (Owner-C) for the domain is registered in between
- validation for another domain with the same owner handle (Owner-C) has successfully been completed

If the domain holder does not react directly to the test request,

- the domain holder will receive a reminder email every 48 hours
- the provider relevant for the domain will be sent a message on the 7th, 14th and 21st day after start of the review (type "message")
- the domain is marked as "not verified" on the 21st day. At the moment, we do not yet directly deactivate the domain at that time (contrary to the ICANN specification), but will try to solve the process differently.

Jetzt DNSSEC für .DE erhältlich

Wir möchten Sie darüber informieren, dass wir ab sofort und
früher als erwartet, den Dienst DNSSEC (Domain Name System 
Security Extensions) auch für die Endung .DE zur Verfügung 
stellen.

Mit DNSSEC wird die Echtheit von DNS-Transaktionen 
gewährleistet und Angriffe, wie etwa das Cache-Poisoning 
verhindert.

Über unser Registriersystem bieten wir an, das Schlüsselmaterial 
zur Nutzung von DNSSEC bei ausgewählten Registrierstellen 
zu hinterlegen:

Unterstützte TLDs:

NEU: -> .de

-> .biz
-> .ch
-> .com
-> .eu
-> .info
-> .li
-> .net
-> .org

Weitere Informationen erhalten Sie auf unserer Webseite:

Page 3 of 3