Critical Joomla Vulnerabilities Addressed in New Security Release

Two critical Joomla vulnerabilities and a 2-factor authentication bug have been addressed this week. A new version of Joomla 3x was released on Tuesday – Joomla! Version 3.6.4 – and users are being encouraged to upgrade at the earliest opportunity to keep their websites secure. If exploited, the vulnerabilities could allow attackers to take full control of the Joomla CMS.

The critical Joomla vulnerabilities can be exploited by attackers to create new user accounts and to elevate privileges. The vulnerabilities were identified earlier this month and affect versions 3.4.4 to 3.6.3. One of the vulnerabilities – CVE-2016-8870 – allows a new user to register on the site and obtain elevated user privileges. The vulnerability was first identified on October 18 and work on a patch started immediately. While serious, it is not believed the vulnerability has been exploited in the wild, although it will only be a matter of time before it is. One Italian research has developed a weaponized proof-of-concept code to exploit the vulnerability, although the code has not yet been released.

The other vulnerability – CVE-2016-8869 – could be exploited to allow a user to register even when their registration has been disabled. Joomla Security Strike Team (JSST) member – Davide Tampellini – has worked out a way of exploiting the vulnerability.

Joomla vulnerabilities are popular with hackers. Once exploits for zero-day vulnerabilities are developed they are extensively used to take control of Joomla websites. It is therefore essential that sites are updated as soon as possible to prevent the vulnerabilities from being exploited.

According to Joomla, the latest update only addresses the two recently discovered vulnerabilities and fixes a 2FA bug which was locking administrators out of their Joomla accounts. The bug required administrators to remove 2FA protection in order to gain access to their CMS. No other changes have been made in the latest release.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news