Podcast 117: Cyber Attack on Colonial Pipeline Affects Fuel Availability in 17 States

A ransomware attack on Colonial Pipeline affected fuel availability in 17 southeastern US states, and Bloomberg reported that Colonial Pipeline paid $5 million to DarkSide, a Russian ransomware service provider. The Biden Administration issued an executive order to increase US cybersecurity defenses. WordPress 5.7.2 was released to patch a critical object injection vulnerability in PHPMailer. A critical vulnerability was patched in the External Media plugin, used by over 8K sites. Vulnerabilities were discovered in all WiFi devices, and patch is available for a zero-day RCE under active attack in Acrobat Reader.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:21 Cyber Attack on Colonial Pipeline leads to executive order on cybersecurity
9:55 WordPress 5.7.2 Security Release
12:36 Critical Vulnerability Patched in External Media Plugin
14:29 All Wi-Fi devices impacted by new FragAttacks vulnerabilities
17:11 Zero-day patched in Acrobat Reader
17:57 Defiant is hiring
18:39 Wordfence K-12 Site Security Audit and Site Cleaning Program

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 117 Transcript

Ram Gall:
Welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I am Ram Gall, threat analyst at Wordfence, and with me is Director of Marketing, Kathy Zant. It’s another busy week. Are we still screaming?

Kathy Zant:
I haven’t stopped screaming. I think I’ve been screaming for about three weeks. This has been a crazy year with cybersecurity events. What’s going on, Ram?

Ram Gall:
Well, we’ve all heard about the cyber attack on the Colonial Pipeline that delivers oil and gas to most of the East Coast.

Kathy Zant:
It’s crazy, yeah. There was a cyber attack. I heard about it over the weekend. 17 states have declared states of emergency because this pipeline delivers fuel.

Ram Gall:
Things that make your car go.

Kathy Zant:
Exactly. You want to go to the grocery-

Ram Gall:
Car go juice.

Kathy Zant:
Car-go juice, yes. You want to go to the grocery store? You need the Colonial Pipeline to be delivering gas to your region.

Ram Gall:
You want trucks to drive stuff to your region, they need the gas too.

Kathy Zant:
Yes, perishable …. Florida is in the region that’s affected here. Florida is a major place where strawberries, oranges, perishable goods are being grown that need to be put on trucks and shipped around the country in order to feed people. So this has wide ranging effects across the entire Southeast. Gas prices in my region of the country are going up, even though we’re not directly affected, so this is definitely taking a toll. It looks like a Russian cyber crime group called DarkSide were behind the attack. Ram, you did some research on them. What do you know?

Ram Gall:
I guess they’ve been a little bit more low profile until now, though since the Colonial Pipeline, they’ve already attacked four more organizations or at least claimed credit for four more attacks. They do say they’re going to be a little bit more careful in picking their targets going forward.

Kathy Zant:
Oh, how nice of them.

Ram Gall:
They say that their goal is … I know, right? Their goal is to make money and not to create problems for society. “From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

Kathy Zant:
Oh, thanks DarkSide.

Ram Gall:
Thanks DarkSide. So it looks like Colonial Pipeline did actually pay them $5 million, and they provided Colonial with a decrypting tool to restore its computer system. But I guess it was so slow that the company continued using its own backups to help restore that system. This is why you should have a warm site instead of a cold site for your backups. I know it’s a little bit pricier, but if you’re doing something that’s critical to the entire Southeastern United States, then maybe you should have a warm site backup.

Kathy Zant:
Yeah. Explain the difference between a cold site backup and a warm site backup for the uninitiated.

Ram Gall:
Okay. So there’s basically three kinds of backups. There’s hot sites, which are very expensive, but generally let you more or less seamlessly switch over after an incident or disaster. There’s warm sites, which are usually more practical and most larger companies at least have a warm site backup, something where you can restore full or really close to full functionality within 24 hours or less. Then there’s cold site, which is where yeah, you have all the old stuff, but it might take a few days for the truck to come by and drop off your old hard drives.

Kathy Zant:
We were talking earlier about just basically this year, we’re already at middle of May, and it was around Christmas time when we heard about SolarWinds for the first time. It seems like this year is the year of cyber attacks and cyber incidents, supply chain attacks. Every week, we’re coming on this podcast and it’s like, oh my gosh, where do we start? It seems like we’re in this situation where it’s like that frog in the boiling pot. We’re in the state of all of these different cyber attacks happening, and it just keeps happening.

Kathy Zant:
It’s almost like we were talking earlier in a different podcast about breach fatigue. It’s not even affecting the stock prices of organizations anymore, and it just seems like this is just part of our life now. I feel like it shouldn’t be, and that there should be lessons like in this particular case with the Colonial Pipeline. We don’t know how the original intrusion happened, but we do know that DarkSide is a paid ransomware service. Can you explain a little bit how that works?

Ram Gall:
Well, basically what it means is that someone else would have gained access to Colonial’s network, and they wanted to monetize that access. So they hire DarkSide to basically ransom based on the access that they were able to gain.

Kathy Zant:
Okay, so somebody gained access. It could have been a very low privileged user that just escalated out of something. Could have been an unpatched Windows server that was attached to a network. It could have been bad passwords, shared passwords, no multi-factor authentication. It could have been anything that’s really like low key, right?

Ram Gall:
I do remember that someone who had performed an audit of their systems fairly recently, not even a security focused audit, disclosed that they’d seen some major security issues. I don’t want to say that you can stop all of these things just by doing the basics, but it looks like in this case, these guys may not have done all the basics. But I mean, it’s important to just do things like patch all systems, do strong authentication, especially multi-factor authentication, segment the network. You don’t always need to air gap. A lot of the time, just having, making sure that whatever sensitive systems are in a different VLAN, or even a physically separate network is useful, and conduct … do things like conduct tabletop exercises. Having a disaster recovery plan is really the most important thing. It’s just like, assume that something like this is going to happen and know what you’re going to do when it does.

Kathy Zant:
Right, and just have plans in place so that you have some business continuity. Just planning for an attack, expect that an attack is going to happen. It’s happening all over the place. We’ve got SolarWinds, we’ve got Codecov. We’ve got all kinds of situations happening that are trickling down into organizations. Maybe this is related to SolarWinds or Codecov. We don’t know that, but it’s just showing us … all of these incidents are showing us how important it is to have some kind of disaster recovery plans in place. It looks like our government is planning on pushing the envelope on that a little bit. What are they doing?

Ram Gall:
The White House has issued an executive order, more or less a plan for modernizing the government’s cyber security response. I actually checked the details and there is some decent stuff in there. It’s fairly detailed. A lot of it is already covered in existing NIST standards, but maybe isn’t implemented across the board, especially not by state and local governments. But what’s more interesting about this is the idea that they’re going to create a review board to conduct postmortems across agencies and also a rating system like ENERGY STAR or Underwriters Laboratories for judging software security and grading how secure software is.

Ram Gall:
I do think that that’s something that I don’t necessarily think has to be applied to all software, otherwise, no software would … Candy Crush probably doesn’t need to have a UL rating, but maybe it does, depending on how much data it collects. Anyways, but I do think that for mission critical stuff or things that impact infrastructure, yeah, it’s maybe not a bad thing that the software will take longer to write and be a little bit more expensive. If you can actually assure that it’s going to be done right is really the thing.

Kathy Zant:
Well, the thing that needs to get thrown in the balance is what’s the impact of the systems that are at play here? We’ve got this pipeline, dramatic impact throughout 17 States. The airline industry that you were talking about earlier, dramatic impacts if there’s a security issue there. So there’s definitely standards. I mean, I remember back in the 1970s, you remember the movie Airplane, a great comedy piece, one of my all-time favorites, but it was based on the fact that there was so much … so many scares that happened in the 1970s with plane crashes and things like that. These days, we don’t hear about that because there’s certain standards in place in order for safety and security in the airline industry. It almost seems that we’re in the … it’s like the 1970s of cyber attacks and cyber incidents now. We need that same standard to be applied across the board for software so that these kinds of impacts don’t happen.

Ram Gall:
From everything I understand, most agencies already follow these standards. I think it’s largely a case of how they’re implemented. I think that a lot of them are implemented in ways that maybe involved checking the box, but actually make it harder to actually get anything done. I think that some sort of review of these standards to figure out which things are actually super important and implement them, things like multi-factor authentication, isn’t a bad idea. So we’ll see where it goes with this. This could go horribly wrong as with anything involving implementing more standards. It could also really improve the security of a lot of systems. So I guess we’ll see.

Kathy Zant:
Yeah, it is the year of the cybersecurity wake up call, if you haven’t gotten it yet.

Ram Gall:
Speaking of such things and supply chain … potential supply chain issues, WordPress 5.7.2 just came out. It’s a emergency security release for all WordPress versions between 3.7 and 5.7.

Kathy Zant:
Right, and this was for a very specific vulnerability and PHPMailer. You took a deeper look at this. What do you know?

Ram Gall:
PHPMailer is what WordPress uses by default to send email. On its own, the vulnerability in the actual PHPMailer library itself is considered critical because you can use it for object injection, which is, as we’ve maybe discussed in previous episodes and certainly had some posts about, can be super dangerous and super critical. It basically it was via the way that it processed UNC path names, the paths that Windows networks use to refer to network resources. So it’s the kind of thing that the way that WordPress actually uses PHPMailer and the way that most plugins use PHPMailer, this isn’t really going to be exploitable unless the stars align just right, because WordPress doesn’t really allow unrestricted access to the mailing system. Anything that does grant that would be considered a separate vulnerability on its own. So it looks like this would be fairly difficult to exploit for most attackers, unless they were already in your network and using your WordPress site that has been hardened, but that they somehow gained admin access to as a pivot point. Something like that, but still I understand why they released it.

Kathy Zant:
Yeah.

Ram Gall:
It could be super bad.

Kathy Zant:
Okay, could be super bad, but has a lot of different stars aligning that need to happen in order for it to be super bad. But this really does underscore the fact that the WordPress core team is taking security incredibly seriously. If any libraries do have critical vulnerabilities, even in a WordPress situation would not necessarily be, oh my gosh, all the sites are hacked, this is still something that they’re taking seriously and ensuring that all of the sites that are using WordPress are receiving an update to patch this.

Ram Gall:
Exactly. I don’t honestly expect any of our users are going to be impacted by this. I don’t expect to see this as an intrusion vector. I don’t know if it’s ever going to be exploited in the wild, but still good that they patch it just because there’s so many WordPress installations that someone’s maybe using WordPress for their intranet site, and they’ve got just the setup that an attacker could exploit to pivot or escalate their privileges or something like that, so

Kathy Zant:
Someone somewhere is vulnerable. Now we have a plugin that Chloe examined called External Media, and it looks like this is installed on about 8,000 sites. It had a critical vulnerability that was recently patched that could have been used by subscribers, even a site that had subscriber … anybody can subscribe, anyone can register for the site if that was open. This could be used to fully take over a site.

Ram Gall:
Yeah. I mean, the plugin is basically just designed to allow authors or anyone who’s writing posts on the site to add external media, external images, stuff like that. But didn’t really do any access controls to make sure that the people who are adding stuff were actually allowed to add stuff. That’s not necessarily the worst part of it. It also didn’t run checks on what files were being added. So you could add executable PHP files, which means you have to mix-

Kathy Zant:
With back doors?

Ram Gall:
Yes, with back doors, which means you get remote code execution, which means that your subscriber now owns your site.

Kathy Zant:
Got you, okay. Chloe, one of our threat analysts here at Wordfence, she’s taking a look at plugins, themes, all sorts of things out in the WordPress space and thanks to our premium subscribers who make that research possible so that we can find these types of vulnerabilities, make sure that firewall rules are written. Both premium and free subscribers to Wordfence are protected at the current moment of recording this podcast. I just want to say thank you to premium users for that research that you guys make possible to keep all of WordPress safer.

Ram Gall:
Definitely. I would not be able to find stuff or be on this podcast without you.

Kathy Zant:
Me neither. So it’s always good to thank them. Thank you guys for listening as well. So wifi devices, I love wifi. Wifi makes my phone work everywhere in my house, right?

Ram Gall:
Yeah.

Kathy Zant:
But what’s going on? This was a scary story. It looks like all wifi devices have some vulnerabilities.

Ram Gall:
Yeah, this is called the Frag Attacks. It’s by the guy who discovered the KRACK attacks a few years back, but this is basically a bunch of issues with how a wifi devices reassemble fragmented data. The wifi signal might bounce around a little bit or lose a little bit of information, so they have to reassemble data from the pieces. It turns out that you can use that capability to … Even if you’re not on an encrypted network, you can still inject packets from pieces into an encrypted connection. It looks like the main way this would be weaponized would be to get a victim to use a malicious DNS server, so that you type in your bank’s domain and the malicious DNS server tells your computer, “Hey, here’s where your bank’s domain points to,” but it’s actually an evil site.

Kathy Zant:
Got you. Okay, is this something I need to worry about on my home network, or is this something I just need to worry about like at Starbucks?

Ram Gall:
Realistically, this … I mean, yes, an attacker could potentially drive by your house and tell your smart fridge to turn on. That’s another one of the things, by the way, is you can send commands to IOT devices, which is also scary depending on what they do and how hackable they are. So I could see that being a problem, but I think that this is more likely to impact enterprises. I think that this is more likely to impact being out and about. The same advice applies. If you’re just a normal user, it applies as if you’re using open networks. Only now, it also applies to secured networks, which is use a VPN, make sure that there’s a TLS certificate matching the site you’re visiting, that kind of thing.

Kathy Zant:
Okay, awesome. This is something that is going to keep people busy writing papers for DEF CON?

Ram Gall:
I think this is going to be yet another reason to not bring or to keep your phone turned off at DEF CON, or at least to not allow wifi to stay on. Which, I mean, you probably shouldn’t have your wifi or your Bluetooth on at DEF CON anyways, so. You should probably be running a VPN for your mobile data connection at DEF CON anyways, because people have spoofed towers in the past and yeah.

Kathy Zant:
Boy, DEF CON is just a whole other level of protecting you-

Ram Gall:
This is terrifying.

Kathy Zant:
Yeah, definitely.

Ram Gall:
Speaking of our final, this is terrifying, this week, it wouldn’t be a Think Like a Hacker podcast without a zero day, but hey, this time it’s not on Chrome, it’s on Acrobat Reader, which I’m pretty sure I have it installed on every computer I have. I’m pretty sure you do too.

Kathy Zant:
Yeah.

Ram Gall:
Update it because it’s a zero day that’s under active attack, at least limited amounts of active attacks in the wild. It’s a remote code execution, which means that they could possibly own your computer.

Kathy Zant:
Yikes.

Ram Gall:
Yeah, update Acrobat Reader. I’m not going to talk to you much more about it because there’s rarely any details about zero days other than that they’re happening, so.

Kathy Zant:
Yeah, but good for us to let everybody know. I will be updating my Acrobat immediately after recording this podcast. Thanks for joining me again, Ram.

Kathy Zant:
Hey, we’ve got some jobs that we’re hiring for. Still looking for someone to do security operations, the perfect person. We have very high standards there. Some PHP developers, QA role, helping us to ensure that all of the software that we write is meeting those very high standards. We’re still looking for someone to do some website performance research, and we still have our instructional designer role open. So if you like to develop courses, and you’re really into security, and you like managing that entire process, we’d love to talk to you. We’ll have links to those in our show notes, as well as links to all of our immense benefits here at Defiant.

Kathy Zant:
We’d also like to mention that we are still offering K through 12 site cleaning and site auditing for schools that are using WordPress. If you know of a school that’s using WordPress, they are government funded anywhere in the world, we would love to provide security services for them, make sure that they are secure as they are educating the next generation of WordPress users out there. So we’ll have links to that in our show notes as well. Anything else I’m missing?

Ram Gall:
I just want to say that when we say we have high standards, we really mean that we want people who have high standards for themselves. We’re not like certain FAANG companies where you must have graduated from Harvard. No, it’s more we want people who really want … expect the best of themselves.

Kathy Zant:
Yes, like us.

Ram Gall:
Like us.

Kathy Zant:
Very high standards. I have high standards for lots of things like comedy, and having a good time, and also be passionate about what we’re doing. I’m very passionate about WordPress and security and helping WordPress users get the most out of WordPress. That’s my standard, for myself.

Ram Gall:
Exactly.

Kathy Zant:
Thanks for joining us.

Ram Gall:
Talk to you next week.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Podcast 117: Cyber Attack on Colonial Pipeline Affects Fuel Availability in 17 States appeared first on Wordfence.

WordPress 5.7.2 Security Release: What You Need to Know

On May 13, 2021 01:00 UTC, WordPress core released a security patch for a Critical Object Injection vulnerability in PHPMailer, the component that WordPress uses to send emails by default. If your site is set to allow auto updating of minor point releases, your site has probably already updated to WordPress 5.7.2.

While we do recommend updating WordPress immediately if you haven’t already, at this time we do not believe that most WordPress sites are likely to be exploitable by this vulnerability.

Don’t Panic

The vulnerability in question is an Object Injection flaw present in multiple versions of PHPMailer which has been given an identifier of CVE-2020-36326. It is similar to another vulnerability, CVE-2018-19296, that had been patched in an earlier version of PHPMailer.

We’ve written about Object Injection vulnerabilities in the past, and while they should be taken seriously, all Object Injection vulnerabilities require a “POP Chain” in order to cause additional damage. In order to exploit this vulnerability, additional software with a vulnerable magic method would need to be running on the site.

Assuming the presence of a POP chain, there are still more obstacles that would need to be bypassed in order to exploit this vulnerability. Although anyone with direct access to PHPMailer might be able to inject a PHP object, warranting a critical severity rating in the PHPMailer component itself, WordPress does not allow users this type of direct access. Instead, all access occurs through functionality exposed in core and in various plugins.

In order to exploit this, an attacker would need to find a way to send a message using PHPMailer and add an attachment to that message. Additionally, the attacker would need to find a way to completely control the path to the attachment. This automatically rules out built-in WordPress functionality and the functionality of most plugins, as even contact form plugins that allow file uploads and send attachments typically use the location of the uploaded file as the attachment and don’t allow users to directly control the attachment path.

In our assessment, successfully exploiting this vulnerability would require a large number of factors to line up, including the presence of at least one additional vulnerability in a plugin or other component installed on the site as well as the presence of a vulnerable magic method. We are also currently unaware of any plugins that could be used to exploit this vulnerability even as a site administrator.

This is unlikely to be used as an intrusion vector, though it is possible that it could be used by attackers who have already gained some level of access to escalate their privileges

Nonetheless, we do strongly recommend updating to the latest version of WordPress as soon as possible, as the sheer number of WordPress installations in existence means that exploitable sites likely exist. Additionally, the vulnerability may be easier to exploit than originally anticipated, or the original researchers or other actors may release more detailed proof of concept code sometime in the future.

The Wordfence firewall’s Built-In PHAR Deserialization protection should protect all of our users, including Wordfence Premium customers as well as those still using the free version, against any attempts to exploit this vulnerability.

Conclusion

In today’s article, we covered an Object Injection vulnerability in PHPMailer, a software component used by WordPress to send email. We recommend updating WordPress core if you haven’t already, but we do not currently believe there is cause for alarm, and do not expect to see this vulnerability attacked at scale as it is dependent on a number of other factors to successfully exploit.

Special thanks to Wordfence Lead Developer Matt Barry and QA Lead Matt Rusnak for their assistance with this article.

The post WordPress 5.7.2 Security Release: What You Need to Know appeared first on Wordfence.

Critical Vulnerability Patched in External Media Plugin

On February 2, 2021, our Threat Intelligence team responsibly disclosed the details of a vulnerability in External Media, a WordPress plugin used by over 8,000 sites. This flaw made it possible for authenticated users, such as subscribers, to upload arbitrary files on any site running the plugin. This vulnerability could be used to achieve remote code execution and take over a WordPress site.

We initially reached out to the plugin’s developer on February 2, 2021. After establishing an appropriate communication channel, we provided the full disclosure the same day. After several minor patches and follow-ups with the developer, a fully patched version was released as version 1.0.34.

This is considered a critical vulnerability. Therefore, we highly recommend updating to the latest patched version available, 1.0.34, immediately.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on February 2, 2021. Sites still using the free version of Wordfence received the same protection on March 4, 2021.

Description: Authenticated Arbitrary File Upload and Remote Code Execution
Affected Plugin: External Media
Plugin Slug: external-media
Affected Versions: <= 1.0.33
CVE ID: Pending.
CVSS Score: 9.9 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 1.0.34

External Media is a WordPress plugin designed to allow users to upload media files from external sources. Unfortunately, the plugin had a flaw that made it possible for authenticated low-level users like subscribers to upload PHP files from external sources. Any site allowing anyone to register as a subscriber was particularly vulnerable.

The plugin registered an AJAX action, wp_ajax_upload-remote-file, that was tied to the upload_remote_file function. This function was used to obtain the remote file’s name, URL, and caption, in addition to a few other fields.

public function upload_remote_file() {
  $file = $_POST['url'];
  $plugin = $_POST['plugin'];
  $filename = $_POST['filename'];
  $caption = !empty($_POST['caption']) ? $_POST['caption'] : '';
  $referer = !empty($_POST['referer']) ? $_POST['referer'] : '';
  $loaded_plugin = $this->load_plugin( $plugin );
  $this->_call_class_method( $loaded_plugin['phpClassName'], 'download', array( $file, $filename, $caption, $referer ) );
  }

This information was used to load a “plugin” method to upload a file, and then trigger the download function which ultimately triggered the file upload function save_remote_file that saved the remote file to the server.

Unfortunately, there were no capability checks that verified if a user had the appropriate capabilities to upload a file, which allowed any user logged in the WordPress site running the plugin to upload files using the external media functionality. There were also no nonce checks, making it possible for an attacker to exploit this functionality using a cross-site request forgery attack.

In addition to missing capability and nonce checks, there was no validation on the filename that was being uploaded, which made it possible to set a PHP file extension. This effectively allowed authenticated users to upload PHP files to a vulnerable site that could be used for remote code execution, ultimately allowing an attacker to completely take over a vulnerable WordPress site.

Disclosure Timeline

February 2, 2021 – Conclusion of the plugin analysis that led to the discovery of a vulnerability in the External Media plugin. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users prior to initiating contact with the plugin’s developer.
February 2, 2021 – The plugin’s developer confirms the inbox for handling discussion. We send over full disclosure.
February 15, 2021 – A newly updated version of External Media is released containing a partial patch. We inform the developer of additional enhancements that are required.
February 15, 2021 – May 5, 2021 – Several follow-ups with the developer who remains in contact with us. A few partial patches are released during this time.
March 4, 2021 – Free Wordfence users receive firewall rules.
May 5, 2021 – Fully patched version of the plugin is released.

Conclusion

In today’s post, we detailed a flaw in External Media that granted authenticated attackers the ability to upload arbitrary files onto a vulnerable site’s server and achieve remote code execution. This flaw has been fully patched in version 1.0.34. We recommend that all users immediately update to the latest version available, which is version 1.0.34 at the time of this publication.

Wordfence Premium users received firewall rules protecting against this vulnerability on February 2, 2021, while those still using the free version of Wordfence received the same protection on March 4, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a critical vulnerability that can lead to full site takeover.

The post Critical Vulnerability Patched in External Media Plugin appeared first on Wordfence.

Episode 116: Packagist Patch Shows How Supply Chain Threats Could Impact WordPress

A vulnerability discovered in Packagist, which is used by Composer to manage PHP package requests, could have allowed attackers to trick Composer into downloading backdoored source code, potentially affecting all WordPress sites. Packagist reports that it’s not aware of any exploits. A SQL injection vulnerability was patched in the CleanTalk AntiSpam plugin installed on over 100k sites. Vulnerabilities were discovered in Exim mail server, including 3 RCE vulnerabilities. We’re seeing some of the first trickle-down attacks from the Codecov supply chain attack, first from HashiCorp and then from Twilio. Apple releases iOS 14.5.1 to patch vulnerabilities in WebKit that are being exploited in the wild, a DDoS takes down Belgium, Peloton exposes customer information, and Signal taunts Facebook with a rejected advertising campaign.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
00:37 PHP Package Manager Flaw Left Millions of Web Apps Open to Abuse
03:22 SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin
06:11 21Nails: Multiple Critical Vulnerabilities in Exim Mail Server
09:01 Twilio discloses impact from Codecov supply-chain attack
12:40 Apple Is Having a Really Bad Time With iPhone Security Bugs This Year
15:04 Massive DDOS Attack Took Down Large Sections of a Country’s Internet
17:04 Data leak makes Peloton’s Horrible, No-Good, Really Bad Day even worse
18:27 Signal Wanted to Use Facebook’s targeted ads against it on Instagram
23:05 Wordfence K-12 Site Security Audit and Site Cleaning Program
23:30 Defiant is hiring

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 116 Transcript

Ram Gall:
Welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I am Ram Gall, threat analyst at Wordfence, and with me is director of marketing, Kathy Zant. Given the news stories today, I think the appropriate response is a nonstop drawn-out scream but we’ll get to that.

Kathy Zant:
Ahhh

Kathy Zant:
Is that right?

Ram Gall:
Ahhhhhhh

Ram Gall:
Yeah, kind of like that.

Kathy Zant:
Our transcriptionist is going to love that.

Ram Gall:
I am sure they will.

Kathy Zant:
Yeah, there’s a lot going on this week. When I first started looking at all of the stories that are happening out there, I was like, “Oh, wow, yeah, there’s … Oh my … Oh, oh my, there is a lot going on. This first story about this PHP package manager flaw left millions of web apps open to abuse. Now it wasn’t abused, this wasn’t something that was under attack in the wild, but the potential of what it could do was pretty significant. Ram, can you tell me a little bit more about what this was?

Ram Gall:
So. I feel like everyone pretty much collectively dodged a bullet here. So basically, everyone who does PHP development uses Composer. It’s a dependency manager for PHP. Basically what that means is that, you’re a developer, you want to include a library to do some cool stuff so you don’t have to write it yourself, but someone else on the same site might be using that same library. So this is a way to stop you from treading on each other’s toes.

Kathy Zant:
Okay. It uses something called Packagist, what’s this?

Ram Gall:
Yeah, so Packagist basically figures out the correct supply chain for package downloads, where to get what. Basically the Packagist infrastructure serves about 1.4 billion download requests a month.

Kathy Zant:
And it looks like SonarSource was the one that discovered a vulnerability that would allow attackers to execute arbitrary system commands on the Packagist server. How would this affect anyone using PHP and using Composer?

Ram Gall:
It is really fortunate that they caught it and patched it within 12 hours of disclosure, because an attacker actually using this kind of thing maliciously, they could have redirected package downloads to third-party servers, delivering dependencies using backdoors, or steal credentials. You remember that WordPress supply chain vulnerability that Matt Barry found and had Core patch?

Kathy Zant:
Yes. Yeah. That was quite a few years ago.

Ram Gall:
This would have been pretty much the same kind of issue, only instead of impacting just WordPress, it would have impacted most people with PHP, but also WordPress, because Core uses Composer. A lot of plugins that offer more than basic functionality use composer, this would have been like SolarWinds plus the Codecov thing, times a thousand, yeah.

Kathy Zant:
Wow, yeah. So some of the statistics in this article that was on The Daily Swig say that PHP run is running 80% of websites. And SonarSource estimated that about two thirds of these PHP projects use Composer. So this would affect all of WordPress, it would affect probably a number of other PHP-based content management systems. It could have had really dramatic effects for us in the web development world, that’s for sure. So we dodged a bullet, eh?

Ram Gall:
Yeah, we really dodged a bullet with that one. Speaking of which, I did find a pretty cool SQL injection vulnerability in the CleanTalk anti-spam plugin a little while back.

Kathy Zant:
You did. So, the CleanTalk anti-spam plugin is an over 100,000 WordPress sites. Tell me a little bit more about how you found this vulnerability and how it could have been exploited.

Ram Gall:
Okay. So basically CleanTalk records what IP addresses do, almost how we do, only they have more of a focus on spam comments and stuff like that. Anyways, whenever you visit a website, your browser sends a special string in the headers called the user agent. Basically it tells the website, “Hey, I’m running Firefox. Hey, I’m running Chrome. Hey, I’m running Chrome on mobile.” So, CleanTalk records that string. Problem is, it did so in a way that wasn’t super secure. So I found a way to inject SQL commands into that user agent string. Now, Chloe actually helped a lot with this. It took some doing to get an initial proof of concept to where I could just get basic commands run, but Chloe really filled that out and got the proof of concept, to a point where I could actually extract information from the database and stuff. It was amazing.

Kathy Zant:
Wow. So we put out a special firewall rule for this. Now we have, in Wordfence, the firewall does block SQL injection attacks, but this one had a specific way that could have caused an issue. So we had a special rule put in place in order to ensure anyone running this particular plugin, with this particular vulnerability was protected. We put that out, what, on March 4th?

Ram Gall:
Correct. Yeah, it turns out that their initial clumsy attempts to sanitize the input actually made it so we needed an extra rule for it.

Kathy Zant:
Gotcha, okay. Then all of the customers who are using Wordfence, the free version, they have had this protection since April 3rd, so for about a month. So this is a older vulnerability, but some time has passed to ensure that it couldn’t be widely exploited. So we did publish some details about how this works and we do that, why? So that we can educate other people who develop plugins for WordPress, so we can show them what types of vulnerabilities could be exploited. This is done so that we could elevate secure coding practices in the WordPress world, right?

Ram Gall:
Yeah and I mean, to be fair, this was not an easy vulnerability to exploit. There were a number of obstacles in place that made it more difficult to exploit, but that just goes to show that anything short of using prepared statements can often be bypassed when it comes to sending SQL queries.

Kathy Zant:
Interesting. So you can take a look at that post on our website. Now this next story is on Qualys website, on their blog, their research, and what did they find in the Exim mail server?

Ram Gall:
So a little bit of background, Exim is basically a mail server that runs on Linux computers. According to a recent survey, it’s installed on about 60% of all the servers on the internet.

Kathy Zant:
Oh wow. That’s a lot.

Ram Gall:
Yeah. Yeah, it is. It’s basically the default mail server on a lot of Linux machines. So Qualys found 21 vulnerabilities, including three remote code executions, and some privilege escalation attacks. So far they haven’t seen anything exploited in the wild, which is really good, but this is again, installed on 60% of the internet and that means that some of these servers are not going to be updated for a long time or ever. So I do think that we’re going to start seeing some knock-on effects from unmaintained servers being exploited for this vulnerability.

Kathy Zant:
Gotcha, okay. So let me ask you a question about a remote code execution and Exim. If this was possibly exploited, that would actually give the attacker control over just the mail server or the whole server?

Ram Gall:
So the mail server, when I say mail server, I basically mean just the thing that serves up mail running on the actual server. So in this case, by combining some of these vulnerabilities, someone could attack any server that happened to be running this mail server program and take it over. 60% of all the servers on the internet are running this mail server program.

Kathy Zant:
Okay. So, I bet you some malicious attackers are reading this blog post and figuring out how they’re going to do this, because this seems like it could have some major impact in the future. Something like what happened with the Exchange Servers, Microsoft Exchange Servers recently, where these became actively attacked and ruined a lot of weekends, I think for ops people.

Ram Gall:
Yeah, yeah. I think the main difference is that with the Exchange Servers, it wasn’t installed on nearly as many networks, but they were much higher value networks. They were largely corporate networks, whereas Exim is basically just installed on almost everything else. But on the other hand, that’s still millions maybe even … Yeah well, a Shodan survey showed that only like four million Exim servers were obviously exposed to the internet, but there’s got to be tens of millions more given that 60% number.

Kathy Zant:
Right, right. So if you are managing a server, just log in and see if anything needs to be updated. If Exim is there, definitely make sure that you’re updating because this is going to be attacked. These are going to be researched and we’re going to start seeing things probably in the not so distant future. Just kind of like what happened with Codecov, huh?

Ram Gall:
Yeah, yeah. So we were worried about this and apparently Twilio’s repository has got cloned and the attackers we’re able to at least breach customer emails. I guess the good news is that Twilio only used Codecov in a few of their systems, which meant that the attackers had limited access, but they were still able to use that access.

Kathy Zant:
Right, right. Just for some background, Codecov is a tool that people use to examine their code. It had an attack that started, what, in January? And they didn’t discover it until April. So someone was in those systems compromising over 29,000 customers’ code and their keys and credentials and whatnot. So we knew we would start seeing some trickle down effects from this. So we’ve got Twilio. Then you said there was actually another disclosure that happened with HashiCorp?

Ram Gall:
Yeah. HashiCorp, the company that makes Vagrant. I actually use it to manage virtual machines for test environments. But I guess their private key that they use to sign their software got compromised in the attack. So they had to cycle that out, which is really scary though, because if an attacker has that, they can sign a package and it’ll look legitimate. That was actually like the thing that made SolarWinds undetected for so long, is the attackers managed to sign the malicious SolarWinds programs, or the malicious Orion package, that’s why it didn’t get found for forever.

Kathy Zant:
Right, and a signed package, for the uninitiated that basically means that it’s been digitally signed. There are secure markers there that says, “Yes, this is actually the software,” but because of the supply chain attack effect of this, there’s someone behind that who’s actually doing that signing with the keys that make it look legitimate and it’s not. did I describe that?

Ram Gall:
You described that perfectly, and we actually did a Wordfence Live stream about this topic a few weeks ago if any of you listeners want to go check it out. But what this does show is that the attackers behind Codecov are definitely using the information to pivot into some of the impacted systems and taking it further, which is what we are afraid of. So, this is probably not the last we’re going to hear of this.

Kathy Zant:
Right, and when we first did that live stream, it was kind of like, “Well, are people really going to understand how big this really is?” Because, I mean, you’re developing WordPress sites and your Wordfence is there protecting your site and everything and, “What is this Codecov? What does this have to do with me?” Has everything to do with so many of us, even if you think it doesn’t because of the trickle down effects … and we’re seeing that happen now. So you might want to go back as Ram suggested and take a look at that episode and really understand what happened. Basically, what I take from that is that we need to start thinking about our security, not in terms of what we’re going to do if we get hacked, but when we get hacked, or when we have a security issue and plan for that security issue, like it actually is going to happen so that you have some kind of plans in place for continuity of your business. Plans in place to restore from a backup and being able to determine when the actual last good backup of what you want to restore is. Having all of those plans in place for your business, whether it’s just for your WordPress site or for all of your systems, really, we just need to start thinking about security in a different way.

Ram Gall:
Yeah. I mean, we really do. I mean, this year is the year of all the security issues impacting everyone. Even Apple’s having a bad time, they just released a new emergency patch to fix two vulnerabilities that were being exploited in the wild for iOS. I think it was in WebKit, or specifically the version of WebKit that gets used in Safari. But again, these were being actively exploited. I mean, there are a number of vulnerabilities and mobile operating systems that might be known of by governments and private vulnerability brokers. But at this point, once they’re being actively exploited in the wild, that means that someone else has gotten a hold of them and started actually attacking them without being worried about burning them. So in a way, that’s really bad, but in a way that’s also really good because it means they’re getting patched because those vulnerabilities were there the whole time. It’s just that now we know, and now they’re fixed.

Kathy Zant:
Yes, yeah. So I mean, security, it’s become one of those things that it’s not just for security professionals. Security is not just for Ram and Chloe to go find vulnerabilities. Security is for everyone. That’s one of the reasons why we do Wordfence Live, why we do the podcast, why we do put such an emphasis on education and information as a part of security, because in order for these types of things to be addressed, you have to be armed. You with an iPhone in your hand, you need to know that iOS 14.5.1 is out and you should apply that as soon as possible. That’s not something to wait on because these are being actively exploited and security is part of your job, whether you like it or not these days, huh?

Ram Gall:
Yeah. I mean, I understand that doing vulnerability research and reading through lines of code is not going to be everyone’s cup of tea ever, and that’s okay. But I don’t think it’s unreasonable to yet be able to say, “Oh hey, there’s an update. I should make sure that my auto updates are turned on,” and hope that there’s no supply chain attacks in the auto updates. Anyways, yeah, there’s no real winning, but there’s still better and worse.

Kathy Zant:
It’s part of your job, whether or not you are fabulously rich and famous and you don’t really have job. You still, if you have a device in your hand that you’re using to connect to the internet in any way, shape or form, security is part of your job. It’s not something you can just like kick down the road. It’s something you have to stay on top of.

Ram Gall:
Yeah, speaking of staying on top of it, it looks like Belgium had a bit of a problem with staying on top of keeping their internet up.

Kathy Zant:
Oh no, not Belgium. I like Belgium. They make good waffles.

Ram Gall:
And fries.

Kathy Zant:
And fries. Yeah, I’m all about the food, although it is lunch hour here. So what exactly happened? It looks like a distributed denial of service attack took down 200 organizations across Belgium, all of their websites?

Ram Gall:
Yeah. So I guess it targeted Belnet, which is their government-funded ISP, which basically provides internet access to their educational institutions, research centers, scientific institutes, government services. The good news is that it looks like the attackers were purely going for disruption. I guess they didn’t use it as a distraction for doing a data breach, or stealing any information, or changing anything, or infiltrating network. They just took down the network.

Kathy Zant:
So they could say that they took down the network. Are we back to that again?

Ram Gall:
It’s unclear who was behind it, but it’s not uncommon for attackers providing these kind of services to do a proof of concept to show, “Hey, you want to hire us? We’re the people who were able to take down all of Belgium’s ISP.”

Kathy Zant:
Right, that is a service that exists. I don’t know if it’s on the dark web, or where people buy DDOS but-

Ram Gall:
Yeah, dark web.

Kathy Zant:
Is that where people buy it?

Ram Gall:
Yeah, DDOS as a service and you use it to distract people while you’re going in to infiltrate or steal other information.

Kathy Zant:
Because you know all of the security personnel are being hollered at by someone to get the network back up and so then all of their attention goes there. So it’s one of those look here, not there type of situations?

Ram Gall:
Yeah but I do want to say that even even if the motive seems to be reputation, that reputation is still going to be in the service of making money these days.

Kathy Zant:
Sure, it all comes down to the money, it does.

Ram Gall:
It’s a marketing exercise for whoever did this.

Kathy Zant:
Speaking of exercise marketing, Hey, let’s talk about Peloton. I love that transition.

Ram Gall:
Oh, I see what you did there. So apparently Peloton’s API, basically their web interface exposed all kinds of user data, like user age, gender, how fit they were, how much they weighed, and apparently another piece of data that they’re not telling us about because it still hasn’t been fixed. But yeah, researchers apparently disclosed this to Peloton three months ago and they still haven’t fixed all of it. So yeah, great.

Kathy Zant:
Oh boy, they’ve had recalls with treadmills and all sorts of things. This is a company that has had a lot of issues and it looks like the fact that they’re taking three months to fix flaws that are exposing actual personally identifiable information of their customers is frightening. Maybe I’ll just go for walks or exercise instead of-

Ram Gall:
Yeah and maybe skip the Fitbit. You never know who’s … Oh yeah, you remember at that thing a few years ago where they discovered secret military bases based on the GPS activity of Fitbits?

Kathy Zant:
Yes, yes.

Ram Gall:
So fitness trackers are just generally a privacy nightmare. Speaking of privacy nightmares.

Kathy Zant:
Facebook. Let’s talk about Facebook. Facebook is the ultimate. They’re like the king of privacy nightmares. So it looks like Signal, which is basically a messaging app that is known in the security community as being the most secure way to communicate. Although, it’s still a system that’s-

Ram Gall:
Apart from the fact that they tell everyone you know, when you sign on for the first time, it’s like, “Hey, guess what? Ram, just got on Signal.” It’s like, “Thanks Signal. I’m glad I’m not a dissident.”

Kathy Zant:
The worst is when they tell … It’s like you sign on and it’s like, they tell everyone that you might be in their contacts list from years ago. It’s like, I don’t want some parent of my children that I haven’t talked to in five years to necessarily know I’m on Signal. They don’t need to know. But yeah, that’s always a little uncomfortable, but they decided to make things a little uncomfortable for Facebook. So, Facebook-

Ram Gall:
Yeah, they bought some Instagram ads, right?

Kathy Zant:
They did, they bought some Instagram ads. If you look at these Instagram ads, this article came from Engadget that we were looking at, these Instagram ads were hilarious because they basically exposed how much information Facebook and Instagram, which is part of Facebook, has about individual users. So one of the ads are, “You got this ad because you’re a newlywed, Pilates instructor and you are cartoon crazy. This ad used your location to see you’re in La Jolla. You’re into parenting blogs and you think about LGBTQ adoption.” It’s like, “How do you know this?” Well, they know it because that’s what Facebook and Instagram know about you as you use their platforms. Now, Facebook-

Ram Gall:
Remember, if it’s free, you are the product.

Kathy Zant:
Exactly.

Ram Gall:
Wait, Signal is also free. What does that mean?

Kathy Zant:
(Singing), we may have uncovered something.

Ram Gall:
(Singing).

Kathy Zant:
Anything that’s free. Yeah, definitely, you are the product. Your information in this case is the product and Signal is … These ads were disallowed by Facebook. Now, they would have been disallowed, I think on Instagram anyway, me being in marketing, I know that verbose text ads just don’t work on Instagram. We as a company, don’t do Instagram ads, but I have in the past and they want something visually appealing and big text ads are rejected by Instagram anyway, but everything got very spicy and dramatic with Signal and Facebook because-

Ram Gall:
Well, Moxie Marlinspike does like stirring the pot. That’s the guy behind Signal. Do you hear about that thing the other day, where he decided to announce that he was putting malware binaries in case law enforcement try to decrypt your phone and crack Signal? One of the, okay, this was not actually a planned thing, there’s a company that makes hardware that law enforcement uses to crack open locked iPhones and locked Android devices. He found a couple of exploits in this hardware and …

Kathy Zant:
Nice.

Ram Gall:
Yeah, it was a whole thing.

Kathy Zant:
I love these kind of stories because it, it, it shows just the dynamic nature of the internet and how information desires to be free and how there needs to be this free flow. It exposes privacy concerns. It exposes control and surveillance kind of concerns and just brings it all out in the open because the thing is, as our privacy is diminished in this open world, so is the privacy of surveillance states. So is the privacy of the CIA, the FBI, all these three letter organizations that are doing spy types of things and are looking-

Ram Gall:
Information wants to be free and that is a wonderful and a terrible thing because it also means that all of your private information wants to be free too.

Kathy Zant:
Yes, but it means all of the people who want to do bad things, their information is free too and everything kind of comes to light. If you look around, you can see that, there’s a leveling of the playing field of information and it opens up interesting opportunities and I’ll leave it at that. I’m off my soap box.

Ram Gall:
Indeed. Well, we did spend a little bit of time on soap boxes because it’s Facebook and Instagram. That’s the best of soapboxes.

Kathy Zant:
Yeah, that’s why we couldn’t pass up the story. But I think that’s it. We do want to mention that we are still offering free site cleaning and site auditing services for K-12 schools worldwide. If you know of a school that could use that service, please let them know. We will have a link in the show notes so you can send that to them. Anybody is having issues with WordPress security, we are there to support them. For the K-12 public schools especially, we do this for free. We would also like to mention that we’re hiring. Earlier this week, Mark did a great Wordfence Live episode, where he talked about the truly remote philosophy that he and Kerry, his wife and co-founder have, and how Wordfence and Defiant is such an amazing place to work. So we have a number of roles available, security operations, PHP developers, QA, quality assurance, as well as a senior researcher for website performance. So go take a look there, defiant.com/employment, and you can see all of our amazing benefits there as well. How’s that coffee maker working for you?

Ram Gall:
It is pretty amazing. I make two pots of coffee a day now, instead of just one, which is, well …

Kathy Zant:
Highly caffeinated Ram is a fun thing in my mind.

Ram Gall:
I’m a menace. I’m a menace now.

Kathy Zant:
You’re an entertaining menace to me, but you’re amazing at the work you do. And to keep you caffeinated and happy is amazing as well. So if you want to come work with Ram, me, Chloe, Scott, Tim, Adam, there’s about 40 of us now, including all of the contractors, we’re having a great time and we’re keeping the world safer in the WordPress space, and we’d love to work with you. I guess that’s it, you want to talk again next week?

Ram Gall:
Yeah, yeah. We’ll see you all next week and bye for now.

Kathy Zant:
Bye-bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 116: Packagist Patch Shows How Supply Chain Threats Could Impact WordPress appeared first on Wordfence.

SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin

On March 4, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a Time-Based Blind SQL Injection vulnerability discovered in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin installed on over 100,000 sites. This vulnerability could be used to extract sensitive information from a site’s database, including user emails and password hashes, all without logging into the site.

We initially reached out to the plugin’s developer on March 4, 2021 and sent over the full disclosure on March 5, 2021. A patched version of the plugin, 5.153.4, was released on March 10, 2021.

Wordfence Premium users received firewall rules protecting against this vulnerability on March 4, 2021. Sites still running the free version of Wordfence received the same protection on April 3, 2021.


Description: Unauthenticated Time-Based Blind SQL Injection
Affected Plugin: Spam protection, AntiSpam, FireWall by CleanTalk
Plugin Slug: cleantalk-spam-protect
Affected Versions: < 5.153.4
CVE ID: CVE-2021-24295
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Fully Patched Version: 5.153.4

The CleanTalk WordPress plugin has a number of uses, but one of its primary purposes is to protect sites against spam comments. Part of how it does this is by maintaining a blocklist and tracking the behavior of different IP addresses, including the user-agent string that browsers send to identify themselves.

Unfortunately, the update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php which was used to insert records of these requests into the database failed to use a prepared SQL statement.

	public function update_log( $ip, $status ) {

		$id   = md5( $ip . $this->module_name );
		$time = time();
		
		$query = "INSERT INTO " . $this->db__table__logs . "
		SET
			id = '$id',
			ip = '$ip',
			status = '$status',
			all_entries = 1,
			blocked_entries = " . ( strpos( $status, 'DENY' ) !== false ? 1 : 0 ) . ",
			entries_timestamp = '" . $time . "',
			ua_name = '" . sanitize_text_field( Server::get('HTTP_USER_AGENT') ) . "'
		ON DUPLICATE KEY
		UPDATE
			status = '$status',
			all_entries = all_entries + 1,
			blocked_entries = blocked_entries" . ( strpos( $status, 'DENY' ) !== false ? ' + 1' : '' ) . ",
			entries_timestamp = '" . intval( $time ) . "',
			ua_name = '" . sanitize_text_field( Server::get('HTTP_USER_AGENT') ) . "'";
		
		$this->db->execute( $query );
	}

There were a number of features to the plugin code that made it more difficult to successfully perform a SQL injection attack.

By design, the update_log function should only have been executed a single time for each visitor IP address. However, it was possible to manipulate the cookies set by the plugin, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.

Additionally, the vulnerable SQL query used INSERT rather than SELECT. Since data was not being inserted into a sensitive table, the INSERT query could not be used by an attacker to exploit the site by changing values in the database, and this also made it difficult to retrieve any sensitive data from the database.

Finally, the SQL statement used the sanitize_text_field function in an attempt to prevent SQL injection, and the User-Agent was included in the query within single quotes.

Despite these obstacles, we were able to craft a Proof of Concept capable of extracting data from anywhere in the database by sending requests containing SQL commands in the User-Agent request header. This exploit could be used by unauthenticated visitors to steal user email addresses, password hashes, and other sensitive information.

Prepared Statements are Crucial

We were able to successfully exploit the vulnerability in CleanTalk via the Time-Based Blind SQL Injection technique, which sends requests that “guess” at the content of a database table and instructs the database to delay the response or “sleep” if the guess is correct. For example, a request might ask the database if the first letter of the admin user’s email address starts with the letter “c”, and instruct it to delay the response by 5 seconds if this is true, and then try guessing the next letters in sequence. There are a number of other SQL injection techniques that can work around many forms of traditional input sanitization depending on the exact construction of the vulnerable query.

This is why it is essential to “prepare” any database queries before actually sending them to the database. Prepared statements isolate each query parameter and are by far the most effective defense against SQL Injection. Fortunately, WordPress offers an incredibly easy way to do this, by using the $wpdb->prepare() function. If you develop WordPress plugins, themes, or any other software that interacts with a database, regularly using  prepared statements will ensure your software will be far more secure.

Timeline

March 4, 2021 – Wordfence Threat Intelligence finishes researching a vulnerability in the CleanTalk plugin. We release firewall rules to Wordfence Premium customers and initiate contact with the plugin developers.
March 5, 2021 – We send over the full disclosure to the plugin developers.
March 10, 2021 – A patched version of the plugin is released.
April 3, 2021 – Sites still using the free version of Wordfence receive protection against this vulnerability.

Conclusion

In today’s post, we covered a SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk plugin which could be used to extract sensitive information from a site’s database and explained why using prepared statements is a critical best practice for plugin developers.

This vulnerability was patched in version 5.153.4, and we strongly recommend updating to the latest version of the plugin, 5.156 as of this writing, immediately.

Wordfence Premium users received firewall rules protecting against these vulnerabilities on March 4, 2021, while those still using the free version of Wordfence received the same protection on April 3, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this vulnerability allows a breach of any confidential data stored in a site’s database.

Special Thanks to Threat Analyst Chloe Chamberland for her instrumental role in developing the Proof of Concept exploit for this vulnerability.

The post SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin appeared first on Wordfence.

Pin It on Pinterest