An unidentified hacker published zero-day vulnerability in vBulletin forum software package
On Tuesday, a critical vBulletin zero-day flaw was published by an anonymous hacker and remains unpatched. If exploited, the bug would allow attackers to perform remote code execution – it also does not require any authentication to do so.
vBulletin is a PHP-based forum software package released in 2000 by MH Sub I and LLC. According to news sources, 0.1% of all existing websites (around 100,000) are using the particular vBulletin forum and affects billions of Internet users worldwide. The company also has customers from global organizations such as NASA, Sony, Steam, BodyBuilding.com, which might also be put at risk if the flaw is not taken care of on time.
Since the anonymous hacker addressed the unpatched flaw and revealed all details related to the exploit code, cybersecurity researchers are concerned that this zero-day might affect tens of thousands of users. If this happens, hacking attempts might be launched in order to steal private user data and use command injection feature.
The affected 5.0.0 – 5.5.4 vBulletin versions are run by a minority of users
Security experts claim that the zero-day vulnerability is active on vBulletin versions from 5.0.0 to 5.5.4, which currently is the latest variant of the software package. The biggest concern is not that bad actors can access the vulnerable machines remotely but the fact that anyone can misuse the vulnerability without any authentication process. The bug grants permission to launch specific PowerShell commands remotely on a particular server that has an active vBulletin installation.
The founder of this flaw has also released an exploit programmed via Python language as a proof-of-concept to provide evidence of the existing problem. More details regarding this zero-day vulnerability can be discovered in the Full Disclosure web page. Additionally, a GitHub user also posted a simple script that would allow anyone to scan the internet for vulnerable targets and even make the hacking process automated.
Ironically (but fortunately), most of the vBulletin users do not use the most recent software versions, and only 6.4% are affected by the flaw, as stated by HackerOne's technical program manager Prash Somaiya.
Because the flaw remains unpatched, no CVE (Common Vulnerabilities and Exposures) number is yet provided for it.
Hacker's identity remains a mystery
There have been some speculations related to the addressing process of the zero-day flaw. The proof-of-concept was posted online for everybody to see before the developers of vBulletin software managed to patch the vulnerability to stop it from being exploited.
According to speculations, the Internet Brands (the company behind vBulletin software) might have failed to discover the vulnerability on time and wanted to make it look as less obvious as possible. It might also be that the anonymous hacker approached the company in order for them to patch the RCE flaw, but was declined the bounty. A similar case happened with Valve just last month when independent researchers disclosed (a non-critical) vulnerability affecting the Steam platform and were declined the reward.
However, these are just speculations, as vBulletin developers remain silent for now, and no official advisory about the case was released so far. Besides, the hacker might have had ulterior motives, such as ruining the reputation of vBulletin and making customers buying other applications instead.
Hopefully, vBulletin will react to the vulnerability as soon as possible, as 100,000 users are at risk of suffering a cyberattack.