14 DAY TRIAL // A recently detected security risk in the Akeeba Backup extension for Joomla content management system (CMS) has been available for years, but it is unlikely that it was leveraged because of the high complexity of the attack.
Researchers at Sucuri discovered that exploiting the vulnerability would allow an attacker access to the backup files created with the Akeeba extension and download them. The risks attached to this include disclosure of database passwords and of the lists of users, complete with hashed passwords and reset tokens.
According to Marc-Alexandre Montpas, who is credited for discovering the glitch, the breach is possible on versions of the extension with the “enable front-end and remote backup” option turned on. The flaw is mitigated in the latest revision of the extension.
Despite providing access to very sensitive details, the security risk for the vulnerability is low because exploiting it is very difficult. “The attack requires a very high level of sophistication, such that only an experienced cryptanalyst can understand it. This is why it went undetected and unexploited for years,” say Akeeba Backup developers.
Montpas says that the issue relates to a JSON API that permits configuring a remote automatic backup scheme. The operation also implements advanced encryption mechanisms designed against thieves trying to steal backups for websites without an SSL certificate.
He explains that when an encrypted request would be received, Akeeba Backup would not authenticate the user, assuming that they must be legitimate because they were able to send a valid encrypted JSON payload based on the website’s secret key.
However, the researcher says that threat actors could rely on brute-force attacks against valid encrypted JSON payloads to guess the secret key; this would allow communication with the API as if it were from a legitimate user.
“Being able to communicate with the API, an attacker could also use his new capacity to bypass cryptographic protections put in place by Joomla! on password reset requests, which only works against users with administrative privileges that are not super-administrators,” writes Montpas in a blog post.
Sucuri generally releases a proof-of-concept (PoC) to demonstrate exploitation of the vulnerabilities they find, but in this case Akeeba developers asked them for a delay of 30 days; technical details about the security flaw are also to be published with the PoC.
Users are required to update to the latest version of the extension in order to eliminate the aforementioned risk, despite its sophistication.