Advisory for: Akeeba for Joomla!
Security Risk: Low
Exploitation level: Difficult/Remote
Vulnerability: Access control bypass
If you’re a user of the very popular “Akeeba Backup for Joomla!” extension (with over 8m downloads), you need to update it right away! During a routine audit for our WAF, we found a vulnerability that could allow an attacker to list and download backups created with the Akeeba extension. With a copy of the backups, an attacker can find your database passwords (stored at configuration.php) and the user list along with their hashed passwords and hashed password-reset tokens.
We consider the risk of this vulnerability as “low”, due to the exploit complexity.
Who’s at risk?
This vulnerability is present on Joomla websites running Akeeba that have the “Enable front-end and remote backup” option activated. If this is the case with yours, you should definitely update this extension as soon as possible!
Note that the attack requires a very high level of sophistication, such that only an experienced cryptanalyst can understand it. This is why it went undetected and unexploited for years. If your site is hacked or got hacked recently, it was not likely through this vulnerability.
The team behind Akeeba responded very well and released a blog post providing upgrade instructions: Akeeba – Security Updates for August
How is that possible?
The extension contains a full-blown JSON API which allows its users to easily set-up some remote automatic backup system. It also implements some advanced encryption mechanism (using AES with the Cipher-block chaining (CBC) and Counter (CTR) encryption modes) intended to provide a safe way to prevent eavesdroppers from stealing backup for websites that does not have a SSL certificate.
The problem was located in the way they handled user authentication when an encrypted request was received. The extension would simply not go through the authentication routine based on the assumption that if the user was able to send a valid encrypted JSON payload, he knows the website’s secret key, and if he knows that piece of information it is a legit user.
The problem with this behaviour is an attacker could guess another key by brute forcing valid encrypted JSON payloads one character at a time. Once that’s done, he could communicate with the API just like a legit user would.
Being able to communicate with the API, an attacker could also use his new capacity to bypass cryptographic protections put in place by Joomla! on password reset requests, which only works against users with administrative privileges that are not super-administrators.
As requested by the Akeeba team, we will not release a POC or any additional technical details about this vulnerability for 30 days.
One word: Update
You should definitely update this extension to the latest version following their recommendations.
Note that users of our website firewall (CloudProxy) are already automatically protected against this type of attack.