===================================================================== CERT-Renater Note d'Information No. 2010/VULN089 _____________________________________________________________________ DATE : 25/03/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running vbulletin. ====================================================================== http://www.vbulletin.com/forum/showthread.php?346486-Security-Fix-Releases-3.7.7-and-4.0.2-PL-2 ______________________________________________________________________ Security Fix Releases 3.7.7 and 4.0.2 PL 2 The vBulletin development team has identified a potential issue with the strength of password encryption in vBulletin and we are implementing a patch to address this issue. In certain rare cases, hackers can exploit a non-vBulletin vector (such as a bad plug-in) to access the vBulletin password database and attempt to decrypt administrator and user passwords. In the cases we have investigated, if hackers are able to successfully exploit the password database, they focus on administrator usernames and passwords. Since many administrators work on multiple vBulletin sites, the hackers then search all vBulletin sites for a particular administrator username and attempt to log in with the corresponding password. They then access user tables and attempt to repeat the process across multiple vBulletin sites and cause widespread disruptions. The patch changes the way password hashes are generated to prevent some methods of determining the password from the hash from working. Note that the new hashes are only generated when a password is changed. Therefore, we strongly advise changing all admin passwords immediately once the patch is applied. It is also strongly recommended that all users change their passwords as well. To protect yourself from the vulnerability, you need to do the following: If you are running VB 3.7.x, upgrade to version 3.7.7 If you are running VB 3.8.x upgrade to version 3.8.5 If you are running VB 4 version 4.0 or 4.0.1, upgrade to 4.0.2 PL 2 If you are running VB version 4.0.2 and 4.0.2 PL 1, the process is a little different. 1) Download the 4.0.2 PL 2 patch files. 2) Set your site to be offline. 3) Upload the patch files your vbulletin directory. 4) Run the url http://your.site.com/vBdirectory/install/upgrade_402_salt.php 5) Set your site to be online. Note: If a user changes their password after the patch is uploaded, but before the upgrade_402_salt.php, then they will be unable to log in. The password will need to be reset after the upgrade_402_salt.php. Setting the site to be offline while the patch is applied will prevent users from changing their passwords during this interval. The patch will not prevent all methods of obtaining the passwords from the hashes. Passwords that are weak or otherwise easily guessed can still be obtained. You should observe basic rules for password generation: 1) A minimum of 6 characters, with more being better 2) Use upper case, lower case, numbers, and punctuation characters in your password 3) Avoid words found in dictionaries, as these are often used to guess passwords It is also strongly recommended that administrators who use the same username across multiple sites use different passwords for each site they log in to, because if the site you reuse a password on isn’t secure, the security of your site is still compromised. The 4.0.2 PL 2, patch also fixes the XSS bug on the search pages. This bug does not exist in vBulletin 3. Kevin ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================