MS-ISAC CYBERSECURITY ADVISORIES
MS-ISAC ADVISORY NUMBER:
Multiple vulnerabilities in Joomla Could Allow Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Joomla, which could result in remote code execution or SQL injection. Joomla is an open source content management system for websites. This vulnerability can be exploited by an attacker sending a maliciously crafted packet to a vulnerable server.
Successful exploitation of this vulnerability could allow for an attacker to execute arbitrary code in the context of the browser, perform SQL injection, obtain sensitive information, bypass security restrictions, or cause denial-of-service conditions.
There are reports of this vulnerability being exploited in the wild.
Joomla versions 1.5 through 3.4.6 (vulnerable to Remote Code Execution)
Joomla versions 3.0.0 through 3.4.6 (vulnerable to SQL Injection)
Large and medium government entities: High
Small government entities: High
Large and medium business entities: High
Small business entities: High
Home users: Low
A remote code execution vulnerability exists in Joomla versions 1.5 through 3.4.6 when the session deserializer calls php_var_unserialize() multiple times (CVE-2015-8566). A SQL injection vulnerability exists in Joomla! CMS versions 3.0.0 through 3.4.6 due to inadequate filtering of request data. These vulnerabilities may be exploited by a remote attacker sending a maliciously crafted packet to a vulnerable server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code in the context of the application, obtain sensitive information, bypass security restrictions, or cause denial-of-service conditions. It is worth noting that the vulnerability exists in PHP itself and was remediated in September with the release of versions 5.4.45, 5.5.29, 5.6.13 and all iterations of version 7.
We recommend the following actions be taken:
Apply appropriate patches provided by Joomla to vulnerable Joomla 3.X systems immediately after appropriate testing.
Apply appropriate hotfixes provided by Joomla to vulnerable Joomla 1.0.0 and 2.3.0 systems immediately after appropriate testing.
Verify no unauthorized system modifications have occurred on system before applying patch.
Monitor intrusion detection systems for any signs of anomalous activity.