For almost a decade, a critical remote command execution vulnerability has existed in Joomla; versions 1.5 through 3.4.5 are affected by CVE-2015-8562. According to Ars Technica, while Joomla security teams patched the vulnerability within two days, the bug was already being exploited in the wild on IP addresses 220.127.116.11, 18.104.22.168 and 22.214.171.124. In addition, any events using either “JDatabaseDriverMysqli” or “O:” in the user agent were likely attack vectors.
So what’s the big risk here? CVE-2015-8562 leverages an issue with poor filtering when Joomla saves browser session values. As detailed by Sucuri, exploiting this flaw and combining it with the result of MySQL meeting a UTF-8 character that isn’t supported by uft8_general_ci — which causes data truncation from a specific value — it’s possible to launch an attack that could fully compromise servers. Cybercriminals then use the servers as malware hosts or sell access to them for a fee on the Dark Web.
Given the relative simplicity of the flaw and the substantial impact if exploited, its no wonder attackers were eager to jump on the problem in the wild. In an effort to determine which servers are still vulnerable, cybercriminals have been swinging for the fences, sending out HTTP requests and analyzing the responses of phpinfo() and eval(chr()) functions to find likely targets. The result? Symantec clocked a high point of more than 20,000 attempts in a single day, with day-to-day averages hovering around 16,000 hits, according to SecurityWeek.
It makes sense that cybercriminals would be working overtime trying to exploit the vulnerability. While WordPress still dominates the CMS marketplace, Joomla holds a solid second place with over 550,000 Web pages using the open-source service, including Linux.com, The Hill online newspaper and Harvard University. Full access to any of these servers would let malicious actors wreak havoc; Malware distribution, DDoS attacks and stolen data are all potential outcomes.
The takeaway here? Even with Joomla security on the ball, there’s no guarantee that existing code flaws won’t crop up and cause problems for big companies. The solution? Active monitoring for starters — just because an application, CMS or cloud-based service seems secure, that’s no reason to turn a blind eye if odd behaviors start to emerge. Immediate patching is also critical. Within two days, Joomla rolled out version 3.4.6 and closed the security hole but in the time hits were already skyrocketing. Two more days and 32,000 attacks could slip through. A week? More than 110,000.
It’s simple: Attackers love vulnerabilities. Existing problems continue to emerge, even in well-used and thoroughly tested software. No protection is perfect, but dodging the hacker haymaker requires constant vigilance — and immediate updating.