Discourse – the ultra-popular, widely deployed open-source community forum & mailing list management platform – has a critical remote code-execution (RCE) bug that was fixed in an urgent update on Fri.
The patch, urgently rushed out on Fri., is an emergency fix for the widely deployed platform, whose No. 1 most trafficked site is Amazon’s Seller Central.
CVSS Severity Score
Tracked as CVE-2021-41163, the flaw is found in Discourse versions 2.7.8 & earlier. It is rated with a top CVSS severity score of 10 & should be considered an emergency fix.
Discourse is widely used & wildly popular, being known for topping competing forum software platforms in terms of usability. It offers features that have been popularised by social-media networks, such as infinite scrolling, live updates, drag-&-drop attachments & more.
Patched Versions
According to market-share & web-usage statistics, the top website using Discourse is sellercentral.amazon.com, which sees a deluge of 30m monthly users. Discourse is also used to run the community forum for the popular radio show Car Talk.
Given Discourse’s widespread use, the US Cybersecurity & Infrastructure Agency (CISA) on Sun. urged developers to either update to patched versions 2.7.9 or later to fix the bug or to apply the necessary workarounds.
The exploit can be triggered by an attacker who sends a maliciously crafted request that can lead to RCE due to a lack of validation in subscribe_url values.
Update or Apply the Workaround
The issue has been patched in the latest beta, stable & tests-passed versions of Discourse.
For those admins. who cannot update to 2.7.9 or later, the workaround is to block requests that start with “/webhooks/aws path” at an upstream proxy.
The flaw is still undergoing technical analysis, but the researcher who discovered the vulnerability has published a technical analysis about it.
Easy to Work
The details in his analysis – which he released just a day after the fix was issued – could be enough for attackers to exploit it. The researcher, “joernchen,” told Bleeping Computer that he reported the issue to the Discourse team immediately upon finding it on Oct. 10 and that the patch itself made it easy to work out how an exploit would work.
Although the software-as-a-service (SaaS) versions of Discourse were fixed as of Wed., there might still be many vulnerable deployments. A Shodan search revealed 8,640 Discourse deployments on Mon. morning.
Cannot Fix It If You Do not Know About It
Greg Fitzgerald, co-founder of Sevco Security, explained that this RCE vulnerability points to how ‘tricky’ it is getting for organisations to assess their attack surfaces.
“There is more data flowing around organisations than ever before,” he stated. “There are more solutions installed than ever before. The diversity of devices, users & applications being used by the business is more complex than ever before.”
Incredibly Challenging
It is therefore more important than ever to get asset inventory right, he continued. “All these ‘ever befores’ have made the task of creating an accurate IT asset inventory – and therefore understanding what your real attack surface looks like – incredibly challenging for companies,” Fitzgerald observed.
“Enterprises tend to do a really good job of patching the vulnerabilities that they know about quickly, but the real threats lurking under the surface for most organisation are the IT assets they’ve forgotten about, which often create an easy path to data for attackers.”
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/
