Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes

On April 5, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of vulnerabilities in the Jupiter and JupiterX Premium themes and the required JupiterX Core companion plugin for WordPress, which included a critical privilege escalation vulnerability that allowed any user to become an administrator.

The plugin developers quickly replied and we sent over the full disclosure on the same day. Fully patched versions of all vulnerable components were made available on May 10, 2022.

Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule protecting against these vulnerabilities on April 5, 2022. Sites still running the free version of Wordfence received the same protection 30 days later, on May 4, 2022.

We strongly recommend updating to the latest patched version for your installation as soon as possible, since this will remove the vulnerabilities. If you are using the classic Jupiter theme, you should  update to at least version 6.10.2. If you are using the JupiterX theme, you should update to at least version 2.0.8 of the JupiterX Core plugin, and at least version 2.0.7 of the JupiterX Core theme, which are the latest versions available at the time of this writing.


Description: Authenticated Privilege Escalation and Post deletion
Affected Software: Jupiter Theme and JupiterX Core Plugin
Slug(s): jupiter (theme), jupiterx-core(plugin)
Developer: ArtBees
Affected Versions: Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7
CVE ID: CVE-2022-1654
CVSS score: 9.9 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Researcher(s): Ramuel Gall
Fully Patched Versions: Jupiter Theme 6.10.2 and JupiterX Core Plugin 2.0.8

This vulnerability allows any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin. The JupiterX Core plugin is required for the JupiterX theme.

The classic Jupiter Theme contains a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled, but has the additional effect of elevating the user calling the function to an administrator role. In JupiterX, this functionality has been migrated to the JupiterX Core plugin. Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks.

On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner.

On a site where a vulnerable version of the JupiterX Core plugin is installed, the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template.

Description: Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification
Affected Software: JupiterX Theme and JupiterX Core Plugin
Slug(s): jupiterx (theme), jupiterx-core(plugin)
Developer: ArtBees
Affected Versions: JupiterX Theme <= 2.0.6 and JupiterX Core <= 2.0.6
CVE ID: CVE-2022-1656
CVSS score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Researcher(s): Ramuel Gall
Fully Patched Versions: JupiterX Theme 2.0.7 and JupiterX Core Plugin 2.0.7

This vulnerability allows an attacker to reduce site security or damage functionality.

Vulnerable versions of the JupiterX Theme allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin. This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key.

Description: Authenticated Path Traversal and Local File Inclusion
Affected Software: JupiterX Theme and Jupiter Theme
Slug(s): jupiterx (theme), jupiter(theme)
Developer: ArtBees
Affected Versions: JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1
CVE ID: CVE-2022-1657
CVSS score: 8.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Researcher(s): Ramuel Gall
Fully Patched Versions: JupiterX Theme 2.0.7 and Jupiter Theme 6.10.2

This vulnerability could allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, by including and executing files from any location on the site.

Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.

Description: Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion
Affected Software: Jupiter Theme
Slug(s): jupiter (theme)
Developer: ArtBees
Affected Versions: Jupiter Theme <= 6.10.1
CVE ID: CVE-2022-1658
CVSS score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Researcher(s): Ramuel Gall
Fully Patched Versions: Jupiter Theme 6.10.2

This vulnerability allows an attacker to reduce site security or damage functionality.

Vulnerable versions of the Jupiter Theme allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file. Using this functionality, any logged-in user can delete any installed plugin on the site.

Description: Information Disclosure, Modification, and Denial of Service
Affected Software: JupiterX Core Plugin
Slug(s): jupiterx-core (plugin)
Developer: ArtBees
Affected Versions: JupiterX Core Plugin <= 2.0.6
CVE ID: CVE-2022-1659
CVSS score: 6.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Researcher(s): Ramuel Gall
Fully Patched Versions: JupiterX Core Plugin 2.0.7

This vulnerability allows an attacker to view site configuration and logged-in users, modify post conditions, or perform a denial of service attack.

Vulnerable versions of the JupiterX Core plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the sub_action parameter.

Timeline

April 5, 2022 – The Wordfence Threat Intelligence team finishes our investigation of the Jupiter and JupiterX Themes. We release a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. We contact the theme developer and send over the full disclosure.
April 28, 2022 – A partially patched version of the JupiterX theme and JupiterX Core plugin is released.
May 3, 2022 – We follow up with the theme developer about additional patches and notify them of an additional vulnerability we found in the Jupiter Theme.
May 4, 2022 – Firewall rule becomes available to Wordfence free users.
May 10, 2022 – Fully Patched versions of the Jupiter Theme and JupiterX Core plugin are released. We verify that all vulnerabilities are addressed.

Conclusion

In today’s article, we covered a number of vulnerabilities present in the Jupiter and JupiterX themes and the JupiterX Core companion plugin. The most severe vulnerability allows any logged-in user to easily gain administrator privileges.

Wordfence Premium, Wordfence Care, and Wordfence Response customers have been protected from these vulnerabilities since April 5, 2022, and free Wordfence users received the same protection on May 4, 2022.

We strongly recommend updating to the latest versions of the impacted themes and plugins available immediately.

Since several versions across several slugs are impacted, we’ll reiterate what you should update:

If you are running the Jupiter Theme version 6.10.1 or below, you should immediately update to version 6.10.2 or higher.

If you are running the JupiterX Theme version 2.0.6 or below, you should immediately update to version 2.0.7 or higher.

If you are running the JupiterX Core Plugin version 2.0.7 or below, you should immediately update it to version 2.0.8 or higher.

If you know anyone using the Jupiter theme or the JupiterX theme, we urge you to forward this advisory to them as the most severe vulnerability allows complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

The post Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes appeared first on Wordfence.

Millions of Attacks Target Tatsu Builder Plugin

Millions of Attacks Target Tatsu Builder Plugin

The Wordfence Threat Intelligence team has been tracking a large-scale attack against a Remote Code Execution vulnerability in Tatsu Builder, which is tracked by CVE-2021-25094 and was publicly disclosed on March 24, 2022 by an independent security researcher. The issue is present in vulnerable versions of both the free and premium Tatsu Builder plugin. Tatsu Builder is a proprietary plugin that is not listed on the WordPress.org repository, so reliable installation counts are not available, but we estimate that the plugin has between 20,000 and 50,000 installations. Tatsu sent an urgent email notification to all of their customers on April 7th advising them to update, but we estimate that at least a quarter of remaining installations are still vulnerable.

All Wordfence users with the Wordfence Web Application Firewall active, including Wordfence free customers, are protected against attackers trying to exploit this vulnerability.

We began seeing attacks on May 10, 2022. The attacks are ongoing with the volume ramping up to a peak of 5.9 million attacks against 1.4 million sites on May 14, 2022. The attack volume has declined but the attacks are still ongoing at the time of publication.

The following is a graph showing the total volume of attacks targeting the vulnerability in Tatsu Builder.

Graph showing attack volume against CVE-2021-25094

While the following is a graph showing the total number of sites being targeted by attackers trying to exploit the vulnerability in Tatsu Builder.


Description: Unauthenticated Remote Code Execution
Affected Plugin: Tatsu Builder
Plugin Slug: tatsu
Plugin Developer: BrandExponents
Affected Versions: < 3.3.13
CVE ID: CVE-2021-25094
CVSS Score: 8.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Vincent Michel (darkpills)
Fully Patched Version: 3.3.13

Indicators of Attack

Most of the attacks we have seen are probing attacks to determine the presence of a vulnerable plugin. These may appear in your logs with the following query string:

/wp-admin/admin-ajax.php?action=add_custom_font

The vast majority of attacks are the work of just a few IP addresses.

The top 3 attacking IPs have each attacked over 1 million sites:

148.251.183.254
176.9.117.218
217.160.145.62

An additional 15 IPs have each attacked over 100,000 sites:

65.108.104.19
62.197.136.102
51.38.41.15
31.210.20.170
31.210.20.101
85.202.169.175
85.202.169.71
85.202.169.86
85.202.169.36
85.202.169.83
85.202.169.92
194.233.87.7
2.56.56.203
85.202.169.129
135.181.0.188

Indicators of Compromise

The most common payload we’ve seen is a dropper used to place additional malware located in a randomly-named subfolder of wp-content/uploads/typehub/custom/ such as wp-content/uploads/typehub/custom/vjxfvzcd.

The dropper is typically named .sp3ctra_XO.php and has an MD5 hash of 3708363c5b7bf582f8477b1c82c8cbf8.

Note the dot at the beginning as this indicates a hidden file, which is necessary to exploit the vulnerability as it takes advantage of a race condition.

This file is detected by the Wordfence scanner.

What Should I Do?

All Wordfence users with the Wordfence Web Application Firewall active, including Wordfence free customers, are protected against this vulnerability. Nonetheless, if you use the Tatsu Builder plugin, we strongly recommend updating to the latest version available, which is 3.3.13 at the time of this writing. Please note that version 3.3.12 contained a partial patch but did not fully address all issues.

If you know anyone using the Tatsu Builder plugin on their site, we urge you to forward this article to them as this is a large-scale attack and any vulnerable sites that are not updated and not using some form of a Web Application Firewall are at risk of complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

The post Millions of Attacks Target Tatsu Builder Plugin appeared first on Wordfence.

PHP Object Injection Vulnerability in Booking Calendar Plugin

On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations.

We received a response the same day and sent over our full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022.

We released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers on April 18, 2022. Sites still running the free version of Wordfence will receive the same protection on May 18, 2022. We recommend that all Wordfence users update to the patched version, 9.1.1, as soon as possible as this will entirely eliminate the vulnerability.


Description: Insecure Deserialization/PHP Object Injection
Affected Plugin: Booking Calendar
Plugin Slug: booking
Plugin Developer: wpdevelop, oplugins
Affected Versions: <= 9.1
CVE ID: CVE-2022-1463
CVSS Score: 8.1(High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 9.1.1

The Booking Calendar plugin allows site owners to add a booking system to their site, which includes the ability to publish a flexible timeline showing existing bookings and openings using a shortcode, [bookingflextimeline].

The flexible timeline includes the ability to configure viewing preferences and options when viewing the published timeline. Some of these options were passed in PHP’s serialized data format, and unserialized by the define_request_view_params_from_params function in core/timeline/v2/wpbc-class-timeline_v2.php.

An attacker could control the serialized data via several methods:

  1. If a timeline was published, an unauthenticated attacker could obtain the nonce required to send an AJAX request with the action set to WPBC_FLEXTIMELINE_NAV and a timeline_obj[options] parameter set to a serialized PHP object.
  2. Any authenticated attacker could use the built-in parse-media-shortcode AJAX action to execute the [bookingflextimeline] shortcode, adding an options attribute in the shortcode set to a serialized PHP object. This would work even on sites without a published timeline.
  3. An attacker with contributor-level privileges or above could also embed the [bookingflextimeline] shortcode containing a malicious options attribute into a post and execute it by previewing it, or obtain the WPBC_FLEXTIMELINE_NAV nonce by previewing the [bookingflextimeline] shortcode and then using method #1.

Any time an attacker can control data that is unserialized by PHP, they can inject a PHP object with properties of their choice. If a “POP Chain” is also present, it can allow an attacker to execute arbitrary code, delete files, or otherwise destroy or gain control of a vulnerable website. Fortunately, no POP chain was present in the Booking plugin, so an attacker would require some luck as well as additional research in order to exploit this vulnerability. Nonetheless, POP chains appear in a number of popular software libraries, so many sites could still be exploited if another plugin using one of these libraries is installed.

Despite the lack of a POP chain and the complexity involved in exploitation, the potential consequences of a successful attack are so severe that object injection vulnerabilities still warrant a “High” CVSS score. We’ve written about Object Injection vulnerabilities in the past if you’d like to find out more about how they work.

Timeline

April 18, 2022 – We release a firewall rule to protect Wordfence Premium, Care, and Response customers. We initiate the disclosure process. The plugin developer verifies the contact method.
April 19, 2022 – We send the full disclosure to the plugin developer.
April 21, 2022 – A patched version of the Booking Calendar plugin, 9.1.1, is released.
May 18, 2022 – The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we covered an Object Injection vulnerability in the Booking Calendar plugin. Wordfence Premium, Wordfence Care, and Wordfence Response customers are fully protected from this vulnerability. Sites running the free version of Wordfence will receive the same protection on May 18, 2022, but have the option of updating the Booking calendar plugin to the patched version 9.1.1 to eliminate the risk immediately.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

The post PHP Object Injection Vulnerability in Booking Calendar Plugin appeared first on Wordfence.

Critical Remote Code Execution Vulnerability in Elementor

On March 29, 2022, the Wordfence Threat Intelligence team initiated the disclosure process for a critical vulnerability in the Elementor plugin that allowed any authenticated user to upload arbitrary PHP code. Elementor is one of the most popular WordPress plugins and is installed on over 5 million websites.

We sent our disclosure to the official Elementor security contact email address on March 29, and followed up on April 5, 2022. As we did not receive a response by April 11, 2022, we sent the disclosure to the WordPress plugins team. A patched version of the plugin, 3.6.3, was released the next day on April 12, 2022.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule protecting against this issue on March 29, 2022. Sites still running the free version of Wordfence will receive the same protection 30 days later, on April 28, 2022.


Description: Insufficient Access Control leading to Subscriber+ Remote Code Execution
Affected Plugin: Elementor
Plugin Slug: elementor
Plugin Developer: Elementor
Affected Versions: 3.6.0 – 3.6.2
CVE ID: CVE-2022-1329
CVSS Score: 9.9(Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 3.6.3

The Elementor plugin for WordPress introduced an Onboarding module in version 3.6.0, designed to simplify the initial setup of the plugin. The module uses an unusual method to register AJAX actions, adding an admin_init listener in its constructor that first checks whether or not a request was to the AJAX endpoint and contains a valid nonce before calling the maybe_handle_ajax function.

		add_action( 'admin_init', function() {
			if ( wp_doing_ajax() &&
				isset( $_POST['action'] ) &&
				isset( $_POST['_nonce'] ) &&
				wp_verify_nonce( $_POST['_nonce'], Ajax::NONCE_KEY )
			) {
				$this->maybe_handle_ajax();
			}
		} );

Unfortunately no capability checks were used in the vulnerable versions. There are a number of ways for an authenticated user to obtain the Ajax::NONCE_KEY, but one of the simplest ways is to view the source of the admin dashboard as a logged-in user, as it is present for all authenticated users, even for subscriber-level users.

This means that any logged-in user could use any of the onboarding functions. Additionally, an unauthenticated attacker with access to the Ajax::NONCE_KEY could use any of the functions called from maybe_handle_ajax, though this would likely require a separate vulnerability.

The function with the most severe impact was the upload_and_install_pro function. An attacker could craft a fake malicious “Elementor Pro” plugin zip and use this function to install it. Any code present in the fake plugin would be executed, which could be used to take over the site or access additional resources on the server.

In addition to this functionality, a less sophisticated attacker could simply deface the site by using the maybe_update_site_name, maybe_upload_logo_image, and maybe_update_site_logo functions to change the site name and logo.

Timeline

March 29, 2022 – We finish our investigation and deploy a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. We send our full disclosure to the plugin developer’s official security contact.
April 5, 2022 – We follow up with the plugin developer’s security contact as we have not yet received a response.
April 11, 2022 – We send our full disclosure to the WordPress Plugins team.
April 12, 2022 – A patched version of Elementor is released.
April 28, 2022 – The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we covered a Critical vulnerability that allows any authenticated user to upload and execute malicious code on a site running a vulnerable version of the Elementor plugin. If your site is using the Elementor plugin, we urge you to update immediately. The good news is that the vulnerability is not present in versions prior to 3.6.0 and was successfully patched in 3.6.3.

Wordfence Premium, Wordfence Care, and Wordfence Response customers are fully protected from this vulnerability. Sites running the free version of Wordfence will receive the same protection on April 28, 2022, but have the option of updating Elementor to the patched version 3.6.3 to eliminate the risk immediately.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

If you know a friend or colleague who is using WordPress, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a Critical vulnerability that makes it easy for attackers to take over a site.

The post Critical Remote Code Execution Vulnerability in Elementor appeared first on Wordfence.

Critical Authentication Bypass Vulnerability Patched in SiteGround Security Plugin

Critical Authentication Bypass Vulnerability Patched in SiteGround Security Plugin

On March 10, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “SiteGround Security”, a WordPress plugin that is installed on over 400,000 sites. This flaw makes it possible for attackers to gain administrative user access on vulnerable sites when two-factor authentication (2FA) is enabled but not yet configured for an administrator.

Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against any attackers trying to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022

After sending the full disclosure details to the SiteGround security team on March 10, 2022 a patch was released the next day on March 11, 2022. While the plugin was partially patched immediately, it wasn’t optimally patched until April 7, 2022.

Sites hosted on the SiteGround platform have automatically been updated to the patched version while those hosted elsewhere will require a manual update, if auto-updates are not enabled for the plugin. We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.


Description: Authentication Bypass via 2-Factor Authentication Setup
Affected Plugin: SiteGround Security
Plugin Slug: sg-security
Plugin Developer: SiteGround
Affected Versions: <= 1.2.5
CVE ID: CVE-2022-0992
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: ​1.2.6

SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more. It’s also worth noting that it comes pre-installed on all SiteGround hosted WordPress sites. Unfortunately, the 2FA functionality of the plugin was insecurely implemented making it possible for unauthenticated attackers to gain access to privileged accounts.

When two-factor authentication is enabled, it requires all administrative and editor users to set-up two factor authentication. This requirement is triggered when the site’s administrative and editor users log into the site for the first time after 2FA has been enabled at which time they are prompted to configure 2FA for their account. This means that there will be a period of time between 2FA being enabled on a site and each user configuring it for the account.

During this interim period, attackers could hijack the 2FA set-up process. The plugin had a flaw that made it so that attackers could completely bypass the first step of authentication, which requires a username and password, and access the 2FA set-up page for users that had not configured 2FA yet.

It was as simple as supplying the user ID they would like to compromise via the sg-user-id parameter, along with a few other parameters to indicate that they would like to trigger the initial 2FA configuration process.

The following validate_2fa_login() function shows the process by which a user-supplied ID is validated. If the results from the check_authentication_code() function and the sg_security_2fa_configured user meta retuned false, which indicated that 2FA hasn’t yet been configured for that user, then the plugin would load the 2fa-initial-setup-form.php template which displays the QR code and 2FA secret needed to configure the authenticator app for the user supplied ID.

</pre>
<pre>public function validate_2fa_login( $user ) {
   // Bail if there is no valid user authentication.
   if ( ! isset( $_POST['sg-user-id'] ) ) { // phpcs:ignore
      return;
   }

   $result = $this->check_authentication_code( wp_unslash( $_POST['sgc2facode'] ), wp_unslash( $_POST['sg-user-id'] ) ); // phpcs:ignore

   // Check the result of the authtication.
   if ( false === $result ) {
      if ( 0 == get_user_meta( $_POST['sg-user-id'], 'sg_security_2fa_configured', true ) ) { // phpcs:ignore
         // Arguments for initial 2fa setup.
         $args = array(
            'template' => '2fa-initial-setup-form.php',
            'qr'       => get_user_meta( $_POST['sg-user-id'], 'sg_security_2fa_qr', true ), // phpcs:ignore
            'secret'   => get_user_meta( $_POST['sg-user-id'], 'sg_security_2fa_secret', true ), // phpcs:ignore
            'error'    => esc_html__( 'Invalid verification code!', 'sg-security' ),
            'action'   => esc_url( add_query_arg( 'action', 'sgs2fa', wp_login_url() ) ),
         );
      } else {
         // Arguments for 2fa login.
         $args = array(
            'template' => '2fa-login.php',
            'error'    => esc_html__( 'Invalid verification code!', 'sg-security' ),
            'action'   => esc_url( add_query_arg( 'action', 'sgs2fa', wp_login_url() ) ),
         );
      }

      $this->load_form( wp_unslash( $_POST['sg-user-id'] ), $args ); // phpcs:ignore
   }

   // Set the auth cookie.
   wp_set_auth_cookie( wp_unslash( $_POST['sg-user-id'] ), intval( wp_unslash( $_POST['rememberme'] ) ) ); // phpcs:ignore</pre>
<pre>

The authentication QR code and secret key displayed that would be displayed to potentially unauthorized users.

The returned QR code and secret key are the only things needed to connect the user account with an authentication mechanism, such as Google Authenticator. Attackers were able to use this to connect their authentication app with the account and successfully use a code to pass the “second factor of authentication.” This function would then set the user authentication cookies via the wp_set_auth_cookie() function using the user supplied ID from the sg-user-id parameter which effectively logs the attacker in as that user. Due to the default configuration of the plugin, this account would most likely be a privileged user like an administrator or editor. It’s also worth noting that the function returns the back-up codes which could be used via the weakness outlined in the next section.

To sum it up, there was no validation on the validate_2fa_login() function that the identity a user was claiming was in fact legitimate. As such attackers could bypass the first authentication mechanism, a username/password pair, which is meant to prove identity and successfully log in, due to a weakness in the second authentication mechanism, the 2FA process. When successful, an attacker could completely infect a site by exploiting this vulnerability.


Description: Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes
Affected Plugin: SiteGround Security
Plugin Slug: sg-security
Plugin Developer: SiteGround
Affected Versions: <= 1.2.4
CVE ID: CVE-2022-0993
CVSS Score: 8.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: ​1.2.6

In addition to the above outlined vulnerability, the method in which 2FA back-up code authentication was handled made it possible for attackers to log in if they were able to brute force a back-up code for a user or compromise it via other means such as SQL Injection.

Diving deeper, the plugin registered the validate_2fabc_login() function which validated the supplied backup code through the validate_backup_login() function using the user supplied user ID from the sg-user-id parameter along with the back-up code supplied via the sgc2fabackupcode parameter. If the back-up code was found in the array of stored back-up codes for that user, then the function would use the wp_set_auth_cookie() function to set the authentication cookies for the supplied user ID. If that user ID belonged to an administrator, the attacker would effectively be logged in as an administrator.

</pre>
<pre>public function validate_2fabc_login() {

   $result = $this->validate_backup_login( wp_unslash( $_POST['sgc2fabackupcode'] ), wp_unslash( $_POST['sg-user-id'] ) ); // phpcs:ignore

   // Check the result of the authtication.
   if ( false === $result ) {
      $this->load_form(
         wp_unslash( $_POST['sg-user-id'] ), // phpcs:ignore
         array(
            'template' => '2fa-login-backup-code.php',
            'action'   => esc_url( add_query_arg( 'action', 'sgs2fabc', wp_login_url() ) ),
            'error'    => esc_html__( 'Invalid backup code!', 'sg-security' ),
         )
      );
   }

   // Set the auth cookie.
   wp_set_auth_cookie( wp_unslash( $_POST['sg-user-id'] ), intval( wp_unslash( $_POST['rememberme'] ) ) ); // phpcs:ignore

Similarly to the previous vulnerability, the issue here is that there was no true identity validation for the authentication, which indicates an authorization weakness. The function performed no checks to verify that a user had previously authenticated prior to entering the 2FA back-up code, and as such they did not need to legitimately log in prior to being logged in while using a back-up code. This meant that there were no checks to validate that a user was authorized to use a back-up code to perform the second factor of authentication that would log them in.

Though the risk in this case is lower, the backup codes were 8 digits long and entirely numeric, so an attacker could potentially brute force one of the 8 back-up codes and automatically be logged in without knowing a username and password combination for an administrative user.

While this might not be practical to attempt on most servers, a patient adversary attacking a well-provisioned server capable of processing a large number of requests at once would have a high chance of eventually gaining access unless the brute force attempts were stopped by another mechanism, such as the Wordfence plugin’s built-in brute force protection or rate limiting rules.

Further, this vulnerability could be used in conjunction with another vulnerability, such as SQL injection, where an attacker would be able to compromise the 2FA back-up codes that are stored in the database and then subsequently use them to log in without needing to crack the password of an administrative user which would likely be significantly stronger. In both cases, the impact would be significant as an attacker could gain administrative access to the compromised WordPress site which could be used for complete site infection.

An Important Security Reminder: Audit Your WordPress Site’s User Accounts

This vulnerability serves as an important reminder to audit your WordPress site’s user accounts. This means identifying any old and unused user accounts that have been inactive for an extended period of time and/or are likely to never be used again and removing them or completely stripping the user’s capabilities. This vulnerability could easily be exploited on sites where the site owner enabled 2FA, which is required for all administrative and editor users, and had old inactive administrative/editor user accounts on the site that an attacker could target. Considering accounts that are no longer active are unlikely to log in after the 2FA setting has been enabled, the 2FA for those accounts would not be configured leaving the site ripe for exploitation by any attackers exploiting the vulnerability.

A situation involving a similar security issue involving insecure 2FA was reported by the CISA in conjunction with the FBI a few weeks ago, around the same time we discovered this vulnerability. In the Cybersecurity Advisory (CSA) by the CISA, it was disclosed that a threat actor was able to successfully brute force a dormant user’s account credentials, and due to a default 2FA setting that would allow dormant users to re-enroll a new device for 2FA during the next active log in, the threat actor was able to connect the 2FA secret to their own account and retrieve the code needed to pass the second factor of authentication. Once the threat actor gained initial access to the system they were able to escalate their privileges by exploiting the “PrintNightmare” vulnerability, which you can read more about here, and steal sensitive information from across the organization’s network. This goes to show that attackers are definitely looking for flaws like the one disclosed today to exploit and any site can be a target. As such, it’s important to actively maintain and validate the security of your site through regularly performed professional or self-conducted security audits and penetration tests, which is a service Wordfence provides. Security is an active and continuous process.

Timeline

March 10, 2022 – Conclusion of the plugin analysis that led to the discovery of two Authentication Bypass Vulnerabilities in the “SiteGround Security” WordPress plugin. We deploy firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response users. We send the full disclosure details to SiteGround in accordance with their responsible disclosure policy.
March 11, 2022 – The CTO of SiteGround responds indicating that a patch has been released. We review the patch and inform them that it is insufficient. They release an additional patch.
March 11, 2022 – A patched version of the plugin is released as version 1.2.3. We suggest further security enhancements to the functionality.
March 16, 2022 – An update is made that reduces the security of the 2FA functionality, we follow-up again to suggest better security enhancements to the functionality. The CTO assures us that they are working on it.
April 6, 2022 – A fully and optimally patched version of the plugin is released as version 1.2.6.
April 9, 2022 – Wordfence Free users receive the firewall rules.

Conclusion

In today’s post, we detailed a flaw in the “SiteGround Security” plugin that made it possible for unauthenticated attackers to gain access to administrative user accounts in instances where 2-Factor Authentication was enabled, though not yet fully set up, and in cases where an attacker could successfully brute force a back-up code. This could easily be used by an attacker to completely compromise a site. This flaw has been fully patched in version 1.2.6.

We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.

Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against attempts by attackers to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both Wordfence Care and Wordfence Response include hands-on security support that provide you with ongoing assistance from our incident response team, should you need it.

Special thanks to the team at SiteGround, for responding swiftly and working quickly to get a patch out to protect their customers and working to further secure the 2FA component. 

The post Critical Authentication Bypass Vulnerability Patched in SiteGround Security Plugin appeared first on Wordfence.

Pin It on Pinterest