Joomla Remote Code Execution Vulnerability: CVE-2015-8562

Joomla Remote Code Execution Vulnerability: CVE-2015-8562

CVE-2015-8562


Description

CVE-2015-8562 is a PHP object injection vulnerability that affects all versions of the Joomla content management system before v3.4.6. This vulnerability occurs because Joomla stores the http user agent header in the database without performing input validation, which allows an attacker to inject an object into the database. Successful exploitation allows the attacker to store malicious code (typically a backdoor) which can be executed later. According to our testing, successful exploitation also requires the web server be running a version of PHP older than 5.4.

References

https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html
https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html
https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions
https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html

Recommendations

  • Check your logs for indicators that an attack was performed.
  • Update to version 3.4.6.
  • If using the 1.5.x or 2.5.x branches, apply the hotfixes.

Indicators of Compromise

If you are a Joomla user, examine your logs right away. We recommend searching your logs for “JDatabaseDriverMysqli” or “O:” in the User Agent field as it has been used in the exploits. If you find them, consider your Joomla site compromised and move to the remediation / incident response phase.

Vulnerable Versions

Versions 1.5.0 through 3.4.5

Alert Detection

The Masergy Threat Intelligence Team currently has deployed the following alerts to detect the exploitation of this vulnerability.

EXP:JOOMLA-RCE

Inbound exploit attempt for a Joomla pre-auth PHP object injection vulnerability that affects all versions of Joomla before v3.4.6. Successful exploitation allows the attacker to store malicious code (typically a backdoor) which can be later executed.