October 3rd 2013 Security Patch Follow Up

[Matt]

October 3rd 2013 Security Patch Follow Up

 

First of all I would like to apologize to anyone who was affected by this week's security issue. Security vulnerabilities that are disclosed publicly like this was, without any prior warning or notice, are always a big concern for a software development company.

 

The purpose of my blog post today is to provide you with the information you need to both ensure you are safe against this attack and check if you were affected by it.

 

How do I know if I am protected?

 

Provided you have updated to either Version 5.2.8 or 5.1.10 (or 5.3.1 if you're testing our most recent Beta), your installation is protected from future attacks of this nature. This does NOT however mean that you won't see attempts to use it. You may still see emails or log entries saying somebody tried to update or submit a value that starts with AES_ENCRYPT. If you see these, do not be alarmed.

 

You can verify what version you are running within your WHMCS admin area by navigating to Help > Check for Updates.

 

While all versions of WHMCS published prior to October 3rd 2013 are affected by this vulnerability, only 5.1 and 5.2 will be provided updates per our Long Term Support Policy. This policy is in place to help encourage people to stay current with our software and ensure they are getting the best possible user experience from our product that new updates and improvements bring.

 

How do I know if I was affected?

 

It is usually possible to tell if you have been affected by this, or had it attempted on your installation, based on the "WHMCS User Details Change" email notification. This is the email sent any time a client updates their profile details via the client area. When this feature is enabled, which it is by default, it contains both the old and new values to allow you to review any changes. In this email if you see any new field values that start "AES_ENCRYPT" (without the quote marks) then the exploit has been attempted on your installation.

 

Another way to check is via the Activity Log. This can be accessed via the admin area by navigating to Utilities > Logs > Activity Log. Again here you're looking for any references that contain the keyword "AES_ENCRYPT". If you see them, then somebody has attempted to use the exploit on your system.

 

Of course, someone attempting to use the exploit does NOT inherently mean it was successful. If the time of the attempt was after you applied the patch then the exploit will have failed; at most the attacker would only be able to alter details of their own, dummy, account.

 

If the attempted exploit occurred prior to implementing the security patch, this alone does not indicate that your system was compromised any further than the information disclosure.

In the published exploit example, the scripted behavior is to retrieve the admin user password hashes. These password hashes, in themselves, are not sufficient to allow the attacker to authenticate into your admin area. The attacker must find the text which equates to the same hash value as your password.

 

If the attacker is able to extract the true admin user password value, they would then need to also know the exact location of the admin login page as well as have access to load it. As described in our recommended further security steps, WHMCS provides an extra layer of protection to help mitigate the unauthorized access into the administrative area by allowing a custom admin folder path. We also recommend restricting IP access to that folder with an htaccess file.

 

Please note that due to the nature of SQL Injection attacks, it is possible to do more that just information disclosure if the attempt was successful. We encourage you to look at the injected values and identify the exact SQL statements used by the attacker from the log entries prior to applying the patch; from this information you can known what database values the attacker was seeking to access or update.

 

If you see anything suspicious or that causes you concern, either in the email notifications or the activity log, then be sure to get in touch with our support team via http://www.whmcs.com/get-support Our team has been fully briefed and should be able to answer any questions you may have, or escalate it to someone who can.