Major remote code execution vulnerability discovered in Concrete5 content management system (CMS) used by US Army
Security researchers from Edgescan have discovered a remote code execution vulnerability in the Concrete5 content management system. The Concrete5 CMS is a free content management system used to create websites. It is used by many big organizations like GlobalSign, REC, BASF, etc. However, its biggest user is the United States Army which powers all its websites with Concrete5.
Edgescan senior information security consultant, Guram Javakhishvili, revealed that Concrete5 has a Remote Code Evaluation (RCE), a known security weakness which if exploited, “can lead to a full compromise of the susceptible web application and also the web server that it is hosted on.”
The RCE vulnerability in Concrete5 is very simple to exploit and quickly enables the user to gain full access to the website. It could also be used to modify site configuration to upload the PHP file and execute arbitrary commands. Once added, potentially malicious PHP code can be uploaded and system commands executed. It can also be used to upload malware and ransomware.
The vulnerability exists in the Concrete5 ‘reverse shell’ mechanism. Once the threat actor exploits the vulnerability they can take full control of the Concrete5 powered webserver. Additionally, the threat actor can launch attacks on other servers connected through the internal networks.
Edgescan said that they had reached out to the Concrete5 development team and the team has released a fix for the RC vulnerability in Concrete5. The team has released a new stable version of Concrete5 v8.5.4 to mitigate the vulnerability.
Eoin Keary, CEO of Edgescan, commented: “An RCE can lead to a full compromise of the vulnerable web application and also web server. Nearly 2% of vulnerabilities across the full-stack were attributed to RCE in the Edgescan 2020 Vulnerability Stats Report. At Edgescan, we’re proud of the part we play in identifying vulnerabilities in web apps, alerting vendors, and supporting them in making their products as secure as possible.”
The investigation serves as a reminder for organizations to take regular action to ensure their CMS systems are secure. Steps advised by Edgescan include keeping installed scripts and CMS platforms up-to-date, regular backups and subscribing to a regularly-updated list of vulnerabilities for the specific CMS being used.