Around a quarter of the world’s sites sites are vulnerable to a dangerous attack caused by an issue in the WordPress core update server.
Critical WordPress Bug
A critical security vulnerability has been discovered in the WordPress core update servers which can be used to compromise about a quarter of all internet sites. Hackers can exploit a remote code execution flaw in a php webhook that is located on the official site of WordPress’s API. Matt Barry who is the lead developer of the WordPress security vendor WordFence has discovered that criminals can provide weak hashing algorithms as part of their verification processes on the API site which allows shared secret keys (SSK) to be brute forced for only a few hours.
The rate of brute force attacks can be set to low margins which can be used to evade WordPress’s own security systems. The malicious users can use the issue to send URLS back to the WordPress update servers. This in turn can lead to a mass infestation with malicious redirections.
According to the web monitoring service W3techs this could mean 27.1 of all web sites, as they are powered by the content management system. The attackers can even do further damage. Using malicious updates they can disable the default auto update feature which can prevent the WordPress servers from delivering the security patches that amend these security issues. The management systems does not use signature verification and trusts all URL links and packages that are supplied by the project’s api site.
In addition the hashing verification process can be further weakened which allows the hackers to use POST remembers, granting them remote code execution capabilities. The security expert has also posted an extensive proof-of-concept in his report.
The issue was reported to Automattic (the creators of WordPress) on the 2nd of September and the developers promptly posted a security patch on the 7th of September. However the experts still consider the API to be a single source of failure.
The disclosure timeline is the following:
- 2016-09-02 21:08 (-0400) – Initial report submitted to Automattic via Hackerone.
- 2016-09-06 19:48 (-0400) – Automattic acknowledges the report.
- 2016-09-07 02:02 (-0400) – A fix for the vulnerability is pushed to the repository.
- 2016-09-21 17:17 (-0400) – The report is resolved and closed.
- 2016-10-29 05:21 (-0400) – Bounty is awarded by Automattic.
- 2016-11-22 – Public disclosure.
Fore more information you can read WordFence’s detailed blog post on the matter.