The open-source advertising platform Revive Adserver is urging customers to patch two vulnerabilities, one of which is critical and may have been exploited to allow hackers to deliver malware to third-party websites.
Revive Adserver, formerly known as OpenX Source, is a free, open-source ad server, used by publishers, advertiser, ad agencies and ad networks to run and manage online ad campaigns. It urged all its customers last week to update to a new 4.2.0 version of its software, providing few details. On Monday, the company publicly disclosed more information regarding the two bugs.
One of the bugs is rated critical, with a CVSS score of 10, and classified as a “deserialization of untrusted data” vulnerability. This is a type of bug that occurs when untrusted data is used to abuse the logic of an application to trigger a denial-of-service attack, or execute arbitrary code upon it being deserialized, according to the description.
“It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third-party websites,” the bulletin added.
Monday’s security bulletin stated that the vulnerability was discovered in the Revive Adserver’s delivery XML-RPC scripts. An XML-RPC is a remote procedure calling protocol that works over the internet. “Such vulnerability could be used to perform various types of attacks, e.g. ,exploit serialize-related PHP vulnerabilities or PHP object injection,” the description said.
The logistics of an attack include an adversary sending a specially crafted payload to the XML-RPC call script and triggering the “unserialize” call.
Threatpost reached out to Revive Adserver and company representatives, and neither replied to questions such as how many customers may have been impacted.
The second vulnerability has a much lower CVSS rating of 4.2. “A remote attacker can trick logged-in user to open a specially crafted link and have them redirected to any destination,” according to the vulnerability description.
Revive Adserver strongly advises users to upgrade to the most recent (4.2.0) version of Revive Adserver software. Alternatively, when that is not immediately feasible, the company “recommended users delete the “adxmlrpc.php, www/delivery/axmlrpc.php and www/delivery/dxmlrpc.php files.”
The vulnerability was disclosed via the HackerOne bug bounty program, and Matteo Beccati is credited for discovering the bug.