Cloudflare Now Blocks the vBulletin RCE CVE-2019-16759 Exploit

[steven36]

This week a zero-day vBulletin remote code execution vulnerability and exploit was publicly disclosed and is being used by bad actors to attack vBulletin forums. Cloudflare has now created a special rule that will prevent this exploit from working on vBulletin sites behind Cloudflare's service.

 

 

 

 

Remote code execution vulnerabilities are the most critical as they allow attackers to execute commands, take over a site, install malware, or even distribute malware from a victim's computer and web site.  Since the vBulletin exploit was released, threat actors have been seen heavily utilizing it to hack into vBulletin servers to recruit them into a botnet or for other purposes.

 

To protect users, Cloudflare has created a new rule for their Web Application Firewall that will detect and block this exploit. This means that vBulletin sites using Cloudflare and who have their firewall enabled will not be affected by the exploit.

 

 

New Cloudflare vBulletin Rule

 

While this is a great perk of being a Cloudflare customers, it is obviously more important that affected vBulletin forums install the official patch so that that the vulnerability is properly fixed.

 

Having worked with numerous forum operators in the past, I unfortunately know that installing a patch is not always easy for administrators due to a variety of reasons. Therefore, having this extra method of protection is very useful for those who may not have FTP/shell access, but do have Cloudflare access.

 

How to enable Cloudflare's vBulletin CVE-2019-16759 protection

To use Cloudflare's new vBulletin CVE-2019-16759 protection, you need to login to your site's Cloudflare dashboard and select Firewall and then Managed Firewall.

 

When you are at the Managed Firewall page, you will see an option titled "Web Application Firewall" at the top of the page. This option should be set to On as shown below.

 

 

Web Application Firewall is Enabled

 

Now that the firewall is enabled, you need to enable the ruleset that contains the vBulletin CVE-2019-16759 protection.

 

To do that, scroll down the page until you see a section titled "Cloudflare Managed Ruleset" and towards the bottom you should see a ruleset titled "Cloudflare specials". To enable this ruleset, set the toggle to On as shown below.

 

 

Cloudflare Specials ruleset enabled

 

Now that this ruleset is enabled, you are protected from the recent vBulletin vulnerability and when an attacker attempts to exploit the vulnerability, they will be blocked.

 

 

Cloudflare blocking the exploit

 

You can monitor whether the protection blocks any attacks by going into the Overview section of the Firewall settings. Any blocked attempts will show up under the WAF service category.

You can then click on the blocked request to see the full details of what the attacker was trying to do.

 

Source