The National Center for Cybersecurity and Cyber Incident Response has discovered ongoing cases of compromise of official websites of government agencies and organizations that operate using software developed by 1C-Bitrix.
In connection with the identified vulnerabilities associated with the content management system of the CMS 1C-Bitrix website, and to minimize such risks, it is necessary to perform the following actions on an ongoing basis:
- update to the latest version of software;
- disable all published and unused components of CMS 1C-Bitrix that can be used by intruders.
The attacks occur through the scripts reload_basket_fly.php, show_basket_fly.php, show_basket_popup.php. They can be found in the /ajax/ directory inside the root folder of the site. Exploitation of this vulnerability allows attackers to remotely execute malicious code.
If you find problematic scripts, you must:
- 1. stop all malicious processes;
- 2. change passwords for all used 1C-Bitrix accounts;
- 3. update the CMS and all its modules to the latest versions;
- 4. if it is impossible to update the software independently, we recommend that you contact the developers of the Internet resource as soon as possible to make changes to the scripts reload_basket_fly.php, show_basket_fly.php, show_basket_popup.php as a temporary solution to the problem, where it is necessary to change $arParams = unserialize(urldecode($_REQUEST["PARAMS"])); to $arParams = json_decode($_REQUEST["PARAMS»]).
Also, according to the order of the Operational Analytical Center dated 02.08.2010 No. 60, mandatory requirements have been defined for authorized Internet service providers when providing hosting services for official websites and e-mail of government agencies and organizations, for the implementation of which clients of Belarusian Cloud Technologies LLC must:
- provide Belarusian Cloud Technologies LLC with up-to-date contact information of employees authorized to remotely access the hosting control panel;
- by creating a request in the personal account (available at https://lc.g-cloud.by), provide the Company with an up-to-date list of external static IP addresses from which remote access to the hosting control panel and to URL addresses intended for administering the website content management system can be performed;
- regularly (at least once every 6 months) change account passwords;
- ensure that the CMS and other software of the site are updated regularly to the latest version recommended by the developer (at the time of writing this news: PHP - not lower than 8.1, CMS 1C-Bitrix - v24.100.100);
- comply with other requirements for ensuring information security, which are described in the rules for the provision of services of the republican platform, which are an integral part of the contracts for the provision of services, which include:
- enable the "Proactive Defense" module if available and configure the settings according to the recommendations;
- check the site with the CMS Bitrix "Security Scanner" tool for vulnerabilities;
- check the site for malicious code and, if it is detected, take measures to remove it, as well as check the system for compromise.
This material is aimed at the need to take the above measures to ensure the protection of information resources, as well as the need to transfer to Belarusian Cloud Technologies LLC a chain of SSL certificates and a personal key used by the site for installation on the information security tools of the republican platform in order to carry out SSL inspection and block possible attacks implemented within secure connections. At the same time, if SSL inspection has not previously been ordered from Belarusian Cloud Technologies LLC as an additional service, you must submit a request in your personal account and transfer as part of the application a chain of SSL certificates and a personal key used by the site.
If the listed requirements are not met by 05.11.2024, Belarusian Cloud Technologies LLC has the right to fully or partially suspend the hosting service by partially blocking access to the resource.