On December 14, a new version of Joomla, an open-source content management system (CMS) which allows you to build websites and powerful online applications, was released to patch a critical 0-Day Remote Command Execution (RCE) vulnerability that affects all versions from 1.5 to 3.4.
The vulnerability is due to lack of validation of input objects that can lead to remote command execution. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. The vulnerability was exploited in the wild a few days before a patch was available and, now that the issue is public, is being exploited even more actively and widely.
Check Point released an IPS protection to help site owners defend against attacks until they can patch their Joomla systems.
Check Point IPS Protection
Check Point protects its customers from the Joomla Remote Command Execution vulnerability with the following IPS protection, released on December 15, 2015:
Joomla Object Injection Remote Command Execution: This protection detects and blocks attempts to exploit the remote command execution vulnerability reported in Joomla platforms. It also detects the new Metasploit module, which consists of a real payload which successfully achieves remote command execution.
Check Point Observation & Guidance
Check Point has noted many attack attempts worldwide, which try to exploit this new vulnerability. We recommend activating the above IPS protection in Prevent mode. The following IPs are among the sources of these attacks: 188.8.131.52; 184.108.40.206; 220.127.116.11; 18.104.22.168; 22.214.171.124; 126.96.36.199; 188.8.131.52. We identified attacks coming mostly from hackers in Russia, Ukraine, Poland, Netherlands and Paraguay, directed at potentially vulnerable systems in the US, Europe & Israel.