Protecting Joomla Sites Against CVE-2015-8562

Reading Time: 4 minutes

Overview

Joomla’s latest update addresses a critical remote command-execution vulnerability that has been actively exploited in the wild since at least Dec. 12, 2015.

Impact

The vulnerability affects every version of Joomla from 1.5 to 3.4.5, and Sucuri reported that nearly every site they checked had been targeted when Joomla 3.4.6 was released to address the issue.

Summary

  • CVE-2015-8562 was made public Dec. 12, 2015.
  • The vulnerability allows an attacker to remotely execute commands by exploiting Joomla’s method of writing session data to its database.
  • Every version of Joomla from 1.5 to 3.4.5 is vulnerable.
  • Joomla 3.4.6 has been released to address the vulnerability, and patches have been released for unsupported versions of the software.

As first reported by Sucuri, the vulnerability allows an attacker to exploit the way session data is processed before it’s stored in the database. In several reported cases, a php shell installed via the exploit has been used to modify core files, with one result being unwanted email (spam) being sent from the server.

In line with Sucuri’s findings, we also noticed these attacks shortly after the updates were announced by the Joomla team. On a sample set of servers, we noted about 10 attack attempts per server by Dec 15. As of 2 p.m. on Dec. 16, that number was more than 50 attempts per server, and likely to keep increasing as attackers continue their efforts.

Liquid Web’s Fully Managed cPanel servers include our ServerSecure package by default, and were protected against various versions of this exploit by our ModSecurity rules. While this certainly is good news, it is not a reason to put off updating your software to the latest version.

Has Your Joomla Site Been Targeted?

To check whether your site was targeted by this attack, you can search for a specific string in your domain access logs.

  • On a cPanel server, the access logs for each domain are stored in /home/accountname/logs and /home/accountname/access-logs.
  • Alternately, the most recent logs for all domains on the server should be in the directory /usr/local/apache/domlogs/.

Once you have located the relevant log files, you can use the grep command to check them. For example, this command checks for attempts to exploit the Joomla vulnerability on sites under the cPanel account joe over the last day:

egrep -H '}__|JDatabaseDriverMysql' /home/joe/access-logs/*

And this command checks for exploit attempts on any of joe’s site logs older than 24 hours, if available:

zgrep -E -H '}__|JDatabaseDriverMysql' /home/joe/logs/*

If any log entries are returned, then you’ll know your site has been targeted. Assuming that Joomla actually is installed on the targeted site, you should check for any recently updated files in the installation or scan it with a tool such as ClamAV or Linux Malware Detect (maldet).

Was Your Joomla Site Protected?

If your site was targeted and you are a Liquid Web customer, you can take the IP address(es) from the log output you found above and check them against Apache’s error_log to see whether the requests were blocked by ModSecurity. In this sample command, we’re checking the IP address 123.123.123.123:

grep 123.123.123.123 /usr/local/apache/logs/error_log

If the requests from that IP address were blocked, you will see a log entry containing something like:

[Tue Dec 15 23:20:25 2015] [error] [client 123.123.123.123] ModSecurity: Access denied ...

If the log does show that ModSecurity blocked the requests, it is likely your site could not be breached. However, regardless of the result, you should proceed with updating your site as soon as possible.

Resolution: Update or Patch Your Joomla Site

The process for protecting your Joomla site against the remote command-execution vulnerability depends on your Joomla version. You can check the current version by logging into your Administration panel. If the version number is not displayed at the bottom of the page in the footer, select Joomla! Update from the Components menu to see your current version.

Joomla 3 Sites Require an Update

If you have not done so already, back up your site and the site database now before proceeding, or check your automated backup solution to ensure that you have a recent backup from which you would be comfortable restoring the site if necessary.

  1. Log into your Administration panel.
  2. You should see a banner indicating that version 3.4.6 is available. If so, and if you have backed up your site and the site database, click the Update Now button to update to the latest version.Joomla Update Available
  3. On the Update page, you are reminded to ensure that your installed extensions are available for the version you’re updating to. Once you have verified that, and have confirmed that you have a backup of the working site, click Install the Update to update Joomla.Install Joomla Update
  4. Once complete, you will see a success page.
  5. Now select Joomla! Update from the Components menu to confirm that you are on version 3.4.6 (occasionally, the update can sometimes fail to reflect the new version in the Update Success confirmation message).

Joomla 1.5 and 2.5 Sites Require a Patch

Users on unsupported versions are encouraged to consult their developers about migrating to Joomla 3 so that they can receive all security updates.

However, due to the nature of this exploit, Joomla has chosen to make patches available for Joomla versions 1.5 and 2.5 to address this specific issue. The patches can be downloaded directly from Joomla. Applying the patch is as simple as replacing the existing session.php file which is included in the download.

It’s important to note that Joomla’s decision to release patches for unsupported versions of its software in this specific case is due only to the scope and impact of the current vulnerability, and does not mean that any future patches also will be released for legacy versions. Joomla continues to encourage users to migrate to the current version as soon as possible.

  1. Download the appropriate zip file for your Joomla version from Joomla and unzip it. The extracted archive will contain three nested folders leading to a single file, session.php.
  2. Connect to your site via FTP, SFTP as the cPanel user, or SSH as the cPanel user and navigate to libraries/joomla/session inside your site’s document root to locate the existing session.php file.
    • On a cPanel server where www.yourdomainname.com loads the main Joomla site, the file would be located in the directory /home/accountusername/public_html/libraries/joomla/session.
    • On a cPanel server where www.yourdomainname.com/blog loads the main Joomla site, the file would be located in the directory /home/accountusername/public_html/blog/libraries/joomla/session.
  3. Now back up the existing session.php file on your server so that it can be restored if necessary. You can do that by simply renaming the existing session.php file on your server to something you’ll be able to remember later (you also could give the file a “.old” extension or add a period to the beginning of the file name.)
  4. To finish, upload the session.php file you downloaded from Joomla to replace the one you renamed, and check that it has the same ownership and permissions.FTP upload of new session.php file

    Note: If you uploaded the file while connected to the server as root, the file itself will be owned by root. You may need to change its ownership and group to match the other files in the directory.

Information on CVE-2015-5154

Reading Time: < 1 minute

Overview

Information on CVE-2015-5154 was made public on July 27, 2015. The vulnerability is in QEMU, a generic and open source machine emulator and virtualizer that is utilized by Xen, KVM, and other modern hypervisors / virtualization platforms.

Impact

Specifically a flaw with how QEMU’s IDE subsystem handles buffer access while processing certain ATAPI commands, exploitation can allow for the execution of arbitrary code on the host with the privileges of the host’s QEMU process corresponding to the guest.

Summary

  • Made public on July 27, 2015
  • This flaw exploits QEMU, a generic and open source machine emulator.
  • Allows for an attacker to execute arbitrary code outside of their own virtual machine.

Resolution

A patch is available, and Liquid Web’s Heroic Support has proactively scheduled a reboot to patch all affected servers.

Continue reading “Information on CVE-2015-5154”

Reminder: Fedora 20 Now End-of-Life (EOL)

Reading Time: < 1 minute
Note:
Please note that this article is considered legacy documentation because Fedora 20 has reached its end-of-life support.

Three versions of the Fedora OS are always kept active, at any given time, by The Fedora Project. These would be: 1. the current release, 2. the release before the current release, and 3. a new release that is in development. Last month saw the launch of Fedora 22 and Fedora 23 is in development, thus the time of Fedora 20 is over.

Fedora 20 has reached end-of-life as of June 23, 2015. This means that no additional security updates will be available from here forward.

Suggested Action

As of today, June 24, 2015, we suggest doing one of the following:

  • Upgrade to Fedora 21.
  • or Upgrade to Fedora 22.

Continue reading “Reminder: Fedora 20 Now End-of-Life (EOL)”

Information on CVE-2015-3456 QEMU Vulnerability (VENOM)

Reading Time: < 1 minute
Overview

VENOM, or Virtualized Environment Neglected Operations Manipulation, was made public on May 13, 2015. The vulnerability is in QEMU, a generic and open source machine emulator and virtualizer that is utilized by Xen, KVM, and other modern hypervisors / virtualization platforms.

Impact

Specifically a flaw with how QEMU handles out-of-bounds memory access, exploitation can cause the entire hypervisor to crash and may allow an attacker to access other virtual machines outside of their own.

Summary
  • Made public on May 13, 2015
  • This flaw exploits QEMU, a generic and open source machine emulator.
  • Allows for an attacker to access other virtual machines outside of their own.
Resolution

A patch is available, and Liquid Web’s Heroic Support has proactively scheduled a reboot to patch all affected servers.

Continue reading “Information on CVE-2015-3456 QEMU Vulnerability (VENOM)”

How to Remove Cross-site Scripting Risk

Reading Time: < 1 minute

The popular WordPress plugin WP Super Cache has been found to have a cross-site scripting (XSS) vulnerability in versions prior to 1.4.4. On sites with outdated versions, it is possible for an attacker to take complete control of the WordPress site. Please note: this vulnerability only affects users which have installed WP Super Cache. However, if you are unsure if you use the plugin or not you should still take precautions to protect your site.

Thankfully, this is vulnerability is simple to address; version 1.4.4, available now, contains a patch.

This tutorial is very similar to our tutorial on updating any WordPress plugin: How To Update a WordPress Plugin

Continue reading “How to Remove Cross-site Scripting Risk”

CVE-2015-0235 Vulnerability Info for Red Hat and CentOS

Reading Time: < 1 minute

A vulnerability found in the glibc library, specifically a flaw affecting the gethostbyname() and gethostbyname2() function calls, that allows a remote attacker to potentially execute arbitrary code. CentOS 5, CentOS 6, and CentOS 7 are potentially affected, thus we want to highlight the following information.

Liquid Web package repositories have been updated. Many servers (barring those with updates disabled) have received an update that patches this vulnerability, however, a reboot will still be required in those cases.

Continue reading “CVE-2015-0235 Vulnerability Info for Red Hat and CentOS”

CVE-2014-9322 Vulnerability Info for Red Hat and CentOS

Reading Time: < 1 minute

A vulnerability found in the Linux kernel, specifically a flaw in fault handling associated with the Stack Segment (SS), allows an unprivileged user to potentially gain privileges. CentOS 4, CentOS 5, CentOS 6, and CentOS 7 are potentially affected, thus we want to highlight the following information.
Continue reading “CVE-2014-9322 Vulnerability Info for Red Hat and CentOS”

CVE-2014-6271 and CVE-2014-7169 Info – Bash Vulnerabilities

Reading Time: 2 minutes

On September 24th, a vulnerability was reported in the GNU Bourne-Again-Shell (BASh, or Bash), specifically a flaw with how Bash processes values of environment variables, that allows remote code execution of varying types in many common configurations. The overall risk is severe due to bash being configured for use, by default, on most Linux servers.

While Liquid Web immediately began working to proactively patch this vulnerability, some servers may remain vulnerable depending on their update settings or other unforeseen intervening factors. Thus, we’ve provided the instruction below.

To Summarize:

  • This flaw exploits Bash, a Unix command-line shell run by default on most Linux servers.
  • Allows for remote code execution, and many types of command-line based attacks.
  • A patch is available, and your server can be easily updated.
  • We have tutorials on How to Update Bash on Red Hat and CentOS and How to Update Bash on Debian and Ubuntu.
  • Test the vulnerability of your server with the information below.

Continue reading “CVE-2014-6271 and CVE-2014-7169 Info – Bash Vulnerabilities”

Patch OpenSSL Against CCS Injections on Ubuntu

Reading Time: 2 minutes
What is OpenSSL?

OpenSSL is a common cryptographic library which provides encryption, specifically SSL/TLS, for popular applications such as Apache (web), MySQL (database), e-mail, virtual private networks (VPNs), and more.

What is “the CCS Injection Vulnerability”?

Continue reading “Patch OpenSSL Against CCS Injections on Ubuntu”

Patch OpenSSL on CentOS Againt CCS Injection

Reading Time: 2 minutes

What is OpenSSL?

OpenSSL is a common cryptographic library which provides encryption, specifically SSL/TLS, for popular applications such as Apache (web), MySQL (database), e-mail, virtual private networks (VPNs), and more.

What is “the CCS Injection Vulnerability”?

Continue reading “Patch OpenSSL on CentOS Againt CCS Injection”