Vulnerability Notice: CVE-2015-8562

Vendor:
Joomla

Affected Product:
Joomla\!

CVSS SCORE:
9.8 of 10 (Critical)

Risk Index:
9.64 of 10 (Critical)

Description

A critical vulnerability, identified as CVE-2015-8562, has been detected in Joomla! versions 1.5.x, 2.x, and 3.x before 3.4.6. This vulnerability allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, with instances of exploitation being observed in the wild in December 2015.

 

Affected Product(s)

Joomla! CMS versions 1.5.x, 2.x, and 3.x before 3.4.6

 

Technical Details

The technical details of CVE-2015-8562 highlight a remote code execution vulnerability within Joomla\! CMS’s session handling code. This vulnerability stems from improper input sanitization of the User-Agent HTTP header, which becomes problematic when user-supplied data is stored within the database’s session table.

This vulnerability was active until Joomla\! CMS version 3.4.5, prior to the issuance of the patch in version 3.4.6. Joomla\! is a widely used open-source content management system (CMS) written in PHP. Leveraging a model-view-controller (MVC) web application framework, Joomla\! boasts various features like page caching, RSS feeds, and language internationalization, making it popular for web developers and organizations that need a stable platform for communication and engagement. The vulnerability in question arises from the inadequate filtering of HTTP headers, specifically the User-Agent header.

This input is vulnerable to serialization injection attacks. PHP object injection generally arises when unsanitized user input is fed into PHP’s `unserialize()` function, leading attackers to craft the serialized object structure with malicious data. The execution of arbitrary PHP code by attackers is made possible by crafting the serialized object to contain injected code and executing it within PHP’s context on the target host. In the realm of Joomla\!, this vulnerability is notably dangerous since it targets session data stored as PHP objects within the database.

Additionally, affected Joomla\! versions (1.5.0 to 3.4.5) housed a session handling flaw where an attacker could exploit serialized objects, causing them to morph into active PHP code. Consequently, these manipulated session objects allow attackers to execute remote code at the earliest possible opportunity during session handling by Joomla.

Several threat actors rapidly capitalized on the CVE-2015-8562 vulnerability. Its simplicity and widespread existence across various PHP versions made it highly desirable. This critical vulnerability was so significant that it allowed attackers unfettered access through simple HTTP requests deploying payloads. The complexity is further underscored by the fact that attack execution does not hinge on user authentication—a remote attacker could potentially commandeer host machines even without incurring site administrative privileges.

If Joomla\! CMS was configured with default session settings and installations kept estimated thousands of hosts exposed globally as session data for unauthenticated users is not inherently secure. This lack of a refined access control mechanism emphasizes the severity and pervasiveness of the vulnerability. Once patches became available in December 2015 (releasing Joomla\! version 3.4.6), the Joomla\! Security Strike Team (JSST) recommended users update their installations immediately.

This measure effectively mitigated exploits by substituting faulty session handling mechanisms. Nevertheless, due to already extensive dissemination, CVE-2015-8562 remained a playground for exploitation throughout this timeline. Attack vectors often opted for targeted payload delivery methodologies, using metadata frameworks like Metasploit for attack propagation, thereby exemplifying the potential for mass exploitation previously inherent in this Joomla vulnerability.

 

Weakness

Three core weaknesses converge within CVE-2015-8562:

  • Improper Input Validation (CWE-20): Joomla’s inability to adequately sanitize input within the User-Agent header permits attackers to inject input that is dangerous when unserialized within PHP contexts.
  • Improper Control of Code Generation – Code Injection (CWE-94): Input derived from external sources is poorly checked, misguiding the code execution flow through injection strategies involving serialized PHP objects.
  • Unauthenticated Code Execution: As PHP’s session object reads such input, it’s especially dangerous since authentication isn’t necessary for the code execution of the injected material.

 

Impact Assessment

If successfully exploited, CVE-2015-8562 can allow attackers to gain unauthorized control over affected CMS instances, running arbitrary PHP code as directed. An exploit of this nature equates to administrative-level access, potentially leading to a full compromise. Attackers could execute malicious code, access confidential user data, plant backdoors, or use the compromised CMS as a springboard for further attacks. This vulnerability is notably critical in environments where sensitive data is processed, potentially leading to severe data leaks or unlawful actions being carried out at the host’s expense.

 

Active Exploitation

Attackers actively exploited the vulnerability shortly after its discovery. In particular, this vulnerability drew transient attention from adversary groups specializing in web application exploitation. Thousands of Joomla\! installations around the world became susceptible, making it a lucrative vector for malicious actors. Though not universally attributed to known groups, unspecified threat actors from locations such as Iran engaged in exploitation attempts, suggesting organized exploitation campaigns leveraging CVE-2015-8562.

Threat Actors: Unspecified Group – Iran

 

Ransomware Association

The specific vulnerability CVE-2015-8562, while primarily leveraged for PHP object injection, indirectly became a foundation for broader malicious activities. Although not directly linked to popular ransomware families, the open-ended nature of remote code execution could hypothetically facilitate dropping ransomware payloads on compromised systems if attackers pivot their strategy from PHP exploitation to lateral ransomware distribution.

 

Mitigation and Resolution

Joomla\! developers promptly addressed the issue by releasing a patch within version 3.4.6 of their CMS platform. The update revised session management to incorporate necessary validations, followed by base64-encoding session data for secure handling. It is essential for administrators of Joomla\! installations to upgrade their systems to version 3.4.6 or later, ensuring all PHP instances adhere to security updates mitigating object injection attacks. Vigilance in monitoring logs for unauthenticated access attempts is recommended as a consistent maintenance practice.

 

Recommendations

  • We strongly recommend that all Joomla! users upgrade to version 3.4.6 or later to close the vulnerability.
  • Administrators should verify that their installed PHP versions are not susceptible to object injection vulnerabilities and apply security patches.
  • Regularly review session management policies to ensure robust validation and controls amidst object serialization/deserialization operations.
  • Implement and employ strict access control contexts for unauthorized access within Joomla’s CMS framework.
  • Employ intrusion detection systems to identify exploitation attempts and monitor irregular patterns within User-Agent HTTP headers.
  • Engage in risk assessments to determine potential residual vulnerabilities within unpatched Joomla components.

 

 References


View In Platform

 

Share This Post On