A critical vulnerability in the Discourse web app was disclosed by a researcher and fixed last Friday. The remote code execution (RCE) vulnerability, tracked as CVE-2021-41163, could be exploited to execute arbitrary code.
Discourse is a web-based platform that enables users to create long-form chats and mailing lists. It is widely deployed on the web. In September 2021 alone, users on Discourse published 3.5 million posts, which were viewed by 405 million users.
The latest version of the platform – 2.7.8 – and older ones are all vulnerable to the flaw and can be exploited by hackers. The best way to address this issue is to update to 2.7.9, which came out on Friday.
Due to the prevalence of a flaw in Discourse, which can be easily exploited by anyone, the CISA released an alert urging users to update their Discourse version and apply the necessary fixes.
The exploit is caused by sending a maliciously crafted HTTP request to a vulnerable software (sending an unauthenticated POST). It can be exploited by taking advantage of the lack of validation in the “subscribe-url” values. An attacker can call `open()` with user supplied input allowing to invoke OS commands with the current rights of the web app, that is ‘www-data’ (admin) in most cases.
The ease of exploitation of this exploit earned it a CVSS v3 score of 10.0 (critical).
There are still over 8,600 deployment instances on the Internet that could be vulnerable to exploitation. However, since Wednesday all SaaS instances were patched and are now protected.
If you can’t update to the latest version, try blocking requests with a path containing “/webhooks/aws” at an upstream proxy.
The researcher who discovered the flaw immediately reported the problem to Discourse on October 10, 2021.
No further details are available at this time. The researcher said that publishing too many details about the issue would only give attackers enough details to exploit it.