UPDATE
The open-source advertising platform Revive Adserver is urging customers to patch two vulnerabilities, one of which is critical and may have been exploited to allow hackers to deliver malware to third-party websites.
Revive Adserver, formerly known as OpenX Source, is a free, open-source ad server, used by publishers, advertiser, ad agencies and ad networks to run and manage online ad campaigns. It urged all its customers last week to update to a new 4.2.0 version of its software, providing few details. Those that maintain the open-source Revive Adserver software said they can’t be sure how many are impacted by the bug. It estimates the number of users of its open-source software at “several thousands” and decline to share numbers of its hosted version of Revive Adserver.
One of the bugs is rated critical, with a CVSS score of 10, and classified as a “deserialization of untrusted data” vulnerability. This is a type of bug that occurs when untrusted data is used to abuse the logic of an application to trigger a denial-of-service attack, or execute arbitrary code upon it being deserialized, according to the description.
“It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third-party websites,” the bulletin added.
When asked to elaborate Erik Geurts told Threatpost on the behalf of Revive Adserver’s project team:
“We’ve seen people reporting issues with their self-hosted installation of the Revive Adserver software, for example on our community forums. We’ve tried contacting many of them to get more information, but much to our disappointment we’ve never been able to get anyone to help us with a more detailed investigation of their particular issue. Based on the reports we read, we started investigating the code some time ago, and that resulted in the discovery of some lines of code that an attacker could potentially use to compromise a self-hosted installation of the Revive Adserver software. Version 4.2 of the Revive Adserver software fixes this.”
The security bulletin stated that the vulnerability was discovered in the Revive Adserver’s delivery XML-RPC scripts. An XML-RPC is a remote procedure calling protocol that works over the internet. “Such vulnerability could be used to perform various types of attacks, e.g. ,exploit serialize-related PHP vulnerabilities or PHP object injection,” the description said.
The logistics of an attack include an adversary sending a specially crafted payload to the XML-RPC call script and triggering the “unserialize” call.
The second vulnerability has a much lower CVSS rating of 4.2. “A remote attacker can trick logged-in user to open a specially crafted link and have them redirected to any destination,” according to the vulnerability description.
Revive Adserver strongly advises users to upgrade to the most recent (4.2.0) version of Revive Adserver software. Alternatively, when that is not immediately feasible, the company “recommended users delete the “adxmlrpc.php, www/delivery/axmlrpc.php and www/delivery/dxmlrpc.php files.”
The vulnerability was disclosed via the HackerOne bug bounty program, and Matteo Beccati is credited for discovering the bug.
“Unfortunately, it is a fact of live that when people run a self-hosted version of our software, or of any open source software for that matter, it is possible that their system gets compromised. In some cases, this is actually not related to software bugs at all, but due to careless management of their servers, having weak passwords, and so on,” Geurts told Threatpost.
“We’ve also noticed that many people do not take care of upgrading their installation to the most recent version, for whatever reason. The same happens with many other open source tools, like for example WordPress. While we want to avoid a ‘blame the victim’ approach, we do regret that fact that there are people still using versions of the software that are over 5 years old, on servers running entirely outdated versions of PHP for example. We can’t force anyone to upgrade,” Geurts said.
(This article was updated on 5/2 at 10:40 am EDT to include comments from the Revive Adserver. The update also includes an update to the disclosure timeline to the vulnerability.)