Vulnerable vBulletin install on OpenSUSE forums exploited

Thanks to a vBulletin exploit, openSUSE's forum admins are dealing with nearly 80K leaked email addresses.

A Pakistani "hacker," calling themselves H4x0r HuSsY, used a known vBulletin vulnerability to deface the openSUSE forums, and compromise databases stored by the site.

"A cracker managed to exploit a vulnerability in the forum software which made it possible to upload files and gave access to the forum database," explained the announcement on openSUSE.org.

The upside to the attack is that the passwords claimed to have been taken are useless to the aforementioned "hacker." The openSUSE forums, and all openSUSE logins, use a single-sign-on system from NetIQ.

The announcement continued:

Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.

However, some user data is stored in the local database for convenience, in the case of the forum the user email addresses. Those, the hackers had access to, and we’re very sorry for this data leak!

The openSUSE forums used version 4.2.1 of vBulletin's software. Last July, the 4.1.x branch of vBulletin was proven vulnerable, and website administrators were urged to upgrade their installations. The disclosed flaws were later linked to a breach at UbuntuForums.org. After that, in November, a vulnerable vBulletin installation on MacRumors.com was compromised, which led to the exposure of 860,000 accounts.

The openSUSE forums only have 79,456 members, and the organization's use of an SSO solution means that the severity of the incident was seriously downgraded.

While bragging about the attack "H4x0r HuSsY" promised not to release the data base dump, because he/she only wanted to expose the security problems on the site. Then again, this pledge was made after it was disclosed that the passwords were worthless. So the main bragging points from the defacement were stripped away.

At the end of the day, proactive security planning by openSUSE administrators and the use of an SSO are the heroes here. Passive attackers will always be around, and they will seek out known vulnerable software and have their fun. In this case, it was a forum defacement and partially mitigated data leak. But it could have been worse.

The openSUSE forums are offline, and will remain so until the Linux distributor addresses the vulnerability. Best guess, they'll upgrade to the 4.2.2 branch.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.