Welcome back to this week's Security Bulletins. As we approach the end of September there are interesting incidents that are worth checking out. Without further ado, let's dive into it.
An anonymous hacker has published a zero-day exploit for the current version of vBulletin 5, which is a popular forum bulletin board. A skilled attacker could exploit this vulnerability to execute a malicious command on the site, which could tamper the site data or even download malware. Even though the exploit was disclosed recently, it is believed to be in use for years. There have also been instances of botnet attacks against vulnerable instances. Comodo ITarian Forum was a major victim of this vulnerability as an unknown attacker exploited it and thereby exposing the login information of more than 250,000 users. vBulletin has released a patch addressing this exploit for versions 5.5.2, 5.5.3, and 5.5.4 while vBulletin versions before 5 are not affected by this. Considering the severity of this, all users are recommended to apply this immediately.
Sans ISC Infosec Forums has posted an important observation regarding the Certificate Transparency Logs. These logs are published whenever we purchase an SSL certificate from a Certificate Authority. This will help in detecting unauthorized certificate purchase for one of our domains. But on the other side of things, this could also disclose the hostnames we specify in the certificate publically, which is a security concern, especially when they are supposed to be used internally. Probably the best way to tackle this is by using internally generated SSL certificates for such domains using internal CA, which does not publish the CT logs.
Shortly after releasing patches for the critical vulnerability, another Remote Code Execution vulnerability targeting Exim mail servers has been discovered. It affects all versions of Exim up to the recently patched 4.92.2 version. It was discovered by the Exim Development Team and has been assigned with CVE-2019-16928. Further details regarding the vulnerability indicate that it is a buffer overflow issue in the "EHELO" command, which is used by clients to send its hostname upon connecting. When too many characters are passed to the server as the hostname, a heap-based buffer overflow occurs. This issue has been addressed by the Exim maintainers by releasing an urgent security patch with version 4.92.3 and it should be applied as soon as possible.
There have been reports on the usage of a defunct plugin called Rich Reviews, which is used to manage reviews internally, by "malvertisers" to infect WordPress sites. It was released in 2013 by Nuanced Media and Foxy Technology and it was discontinued earlier this month. There are more than 15000 active users of this plugin, which is vulnerable to code injection to web pages to accomplish malicious redirects. It is highly encouraged to remove this plugin if you have it installed.