Attackers don't waste any time, started looking for vulnerable sites as soon as the vulnerability was revealed

Dec 30, 2015 09:38 GMT  ·  By

Attackers are taking advantage of the latest Joomla vulnerability (CVE-2015-8562) launching around 16,600 attacks per day, sometimes over 20,000, trying to take over vulnerable websites.

On December 14, the Joomla project released version 3.4.6 to fix a security flaw in their CMS (Content Management System) that allowed attackers to take full control over affected websites.

Attackers can take control over vulnerable Joomla sites

The vulnerability affected all versions of the Joomla CMS, going back even to extremely old versions of the CMS, its 1.5.x branch, developed years ago, and currently in EOL.

Despite this, Joomla's security staff issued a new version, and security patches for older installations, to help webmasters protect their sites against a hostile takeover.

The problem was caused by how the CMS handles user agent strings. As in most cases, the string was not properly filtered for malicious strings, which allowed attackers to insert malicious code that would get executed in the CMS' backend.

An investigation by Sucuri spearheaded efforts in understanding how the flaw worked, but later the Joomla team discovered that the problem was actually deeper, being in part caused by a bug in PHP itself.

Joomla vulnerability is present only on some PHP versions

The problem stemmed from a use-after-free vulnerability in PHP's session deserializer, patched by the PHP team in September 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13. The newer PHP 7 came with this issue patched by default, and the PHP team also back-ported the fix to some Linux LTS versions of PHP 5.3.

As the Joomla team later described, the only Joomla CMS sites affected by CVE-2015-8562 are those hosted on vulnerable versions of PHP (CVE-2015-6835). The Joomla project released version 3.4.7 on December 21 to further address this issue and allow the CMS to deal with this issue on vulnerable PHP versions.

This hasn't stopped attackers, though. "Since the Joomla! RCE vulnerability was discovered, servers running vulnerable versions of the CMS are actively being scanned for and attacked," Symantec's Himanshu Anand notes. Since the outcome of discovering vulnerable Joomla sites and exploiting the flaw leads to total site compromise, attackers aren't expected to ease up anytime soon.

Daily attacks on vulnerable Joomla sites
Daily attacks on vulnerable Joomla sites

Photo Gallery (2 Images)

Attackers target vulnerable Joomla versions
Daily attacks on vulnerable Joomla sites
Open gallery