This week a vulnerability and approach to the execution of remote software in zero-day vBulletin has been openly exposed and used by poor performers to attack vBulletin forums. Cloudflare now has a unique rule in place to stop this exploit from operating behind Cloudflare’s service on vBulletin locations.
The vulnerabilities in remote code implementation are the most critical since they enable an attacker to execute commands, take over a site, install malware or even distribute malware from a victim’s website or computer. Since the vBulletin exploit was released, threats were strongly used to hack vBulletin servers to recruit them into a botnet or for other purposes.
To protect users Cloudflare has developed a fresh rule that will detect and block this exploit for your Web Application Firewall. This implies that vBulletin sites that use Cloudflare and have their firewall activated are not impacted by the operation.
New Cloudflare vBulletin Rule
While this is a great advantage to be a Cloudflare customer, it is obviously more important to have the official patch installed in the affected vBulletin fora in order to correct the vulnerability.
Unfortunately, having worked with many forum operators in the past, I know that installing a patch is for administrators not always easy due to a range of reasons. This additional security technique is therefore very helpful for those who may not have access to FTP / shell but have Cloudflare access.
How to enable protection of Cloudflare’s vBulletin CVE-2019-16759
You must login to the Cloudflare dashboard on your site and select Firewall, then Managed Firewall, to use the latest vBulletin CVE-2019-16759 security.
You will see an option at the top of the web application firewall when you are on the Managed Firewall page. As shown below, this option should be put to On.
Web Application Firewall is Enabled
Now that the firewall is activated, the ruleset containing the vBulletin CVE-2019-16759 protection is activated.
To do this, scroll down the page to a chapter called “Cloudflare Managed Rules” and to the bottom of the page you should see the “Cloudflare Space” rulebook. Set the toggle to On to allow this ruleset as shown below.
Cloudflare Specials ruleset enabled
Now that this set of rules is enabled, you are protected from the recent vBulletin vulnerability and blocked if an attacker tries to take advantage of the vulnerability.
Cloudflare blocking the exploit
You can check if the security blocks assaults by going to the Firewall Settings Overview section. Any efforts blocked will appear in the category of WAF service.
Click on the blocked request to see the complete information of what the attacker tried to do.