WordPress Security: Haiku Updates

WordPress Security and Maintenance Release: 4.9.1

Nov. 20, 2017

Holidays are for:
Family, eating too much,
and security.

Don’t worry you can stay distraction free when dining with friends and family this holiday season, knowing that we have handled this WordPress security release update for you and your sites. Instead of worrying if your site has been patched, you can be the one to bring it up at social gatherings and watch as your friends or family with WordPress sites become uncomfortable not knowing if their sites are secure or not.

Pagely customers will receive the WordPress 4.9.1 security release update this week. This security and maintenance release includes patches for multiple vulnerabilities including a cross-site scripting (XSS) and XML eXternal Entity (XXE) issues. This will also officially bring all customers up to the 4.9 branch from 4.8.3, unless you’ve previously written in requesting an upgrade to 4.9 in the last few weeks.

You can read more about this security release and specific details on what it includes here on the WordPress news blog, as well as more details on how we handle major WordPress releases (like 4.9) on our blog  here: WordPress 4.9 Release.


WordPress 4.8.3

Oct. 31, 2017

WordPress Halloween.
We patch the tricks, 4 8 3
You get the treats. Boo!

There is nothing spookier than a WordPress security release, the 4.8.3 patch addresses an SQL injection vulnerability in WordPress core which could be exposed by insecure coding practices found in some plugins. This release hardens the WP Core code to protect the sites who may harbor an insecure SQL query that trusts user input, sanitizing the input before it’s passed along to the database server.

More information on this release can be found on the WordPress blog,  details on the changes and how it modifies the return value of of esc_sql() have been posted by Gary Pendergast on the Make WordPress Core developers blog.

Thanks goes out to the reporter of the vulnerability (Anthony Ferrara) for working with the WordPress security team. And a special acknowledgement to our own Arman Zakaryan for the Haiku this time around.


OptionsBleed

Sept. 21, 2017

Memory Leaking
over OPTIONS requests sent.
This patch stops the leak.

The vuln-du-jour is called OptionsBleed and affects Apache2 web servers. It was caused by a programming oversight in the Apache2 server project which allowed small amounts of memory to be leaked when an OPTIONS request is sent to the web server. This bug only affects sites that are configured with a LIMIT directive which attempts to filter nonexistent HTTP methods, which is extremely rare but does exist in just under 500 of the Alexa top 1 million websites. A more detailed write up about this can be found here.

The Apache2 dev team wasted no time in providing a patch. Which we have already begun applying to customer servers.

We are rolling this patch out slower than a normal security patch because it’s so rare for this misconfiguration to exist and initial reviews of customer sites shows no Pagely customers have misconfigured LIMIT directives which would put them at risk. That said, the patch will be applied in a safe manner over the next week as to minimize any risk of downtime on customer sites related to the upgrade.


WordPress 4.8.2

Sept. 19, 2017

Within this release,
Nine security patches.
Sites are now secure

This week brings a security update to WordPress core.

The security patches include multiple serious vulnerabilities and we are applying patches as soon as possible for customers. The WordPress core and security team have also released version to address any of the patched vulnerabilities for the following versions: 4.8.2, 4.7.6, 4.6.7, 4.5.10, 4.4.11, 4.3.12, 4.2.16, 4.1.19, 4.0.19, 3.9.20, 3.8.22, and 3.7.22. Any customer of Pagely running older branches of WordPress will also be brought up to date with these security patches.


Malicious Code in Display Widgets

Sept. 13, 2017

We coined a new term:
“plugin identity theft”.
Let it not catch on.

A popular plugin in the WordPress.org repository has been “hijacked” (for lack of a better term) by a developer with suspicious intent. The popular plugin “Display Widgets” is described as “Adds checkboxes to each widget to show or hide on site pages“, yet in the last few releases there have been some unexpected new features added: such as adding posts directly to the site and tracking site visitors. Wordfence, a security plugin, wrote a full explanation on how this might have happened, it’s worth a read here.

For our customer’s safety, we have banned the plugin from our customer sites. If your site hosted with Pagely was affected we have already reaching out directly to help you with the concern.

More information about the issue at hand with this plugin can be found on WPVULNDB and in the plugin’s support forum .

Update: The plugin team at WordPress.org have released a patched version of Display Widgets which reverts it back to the last known safe version, but there appears to be no author to continue maintenance on the plugin. The plugin will remained banned on our network until a time that we see someone has taken responsibility for the plugin and the future of patching it’s code.

Which plugins and themes aside from display-widgets should you avoid? See our full list here.


WordPress 4.7.5 Release

May 17, 2017

Patchy patchy patch
I love patches for WordPress
Here come the patches


ExploitBox’s CVE-2017-8295

May 5, 2017

Return to sender
sending to the wrong domain
read from HOST header.

There was a recently released authentication bypass vulnerability that affects WordPress before and including 4.7.4, with specific server configurations. The attack requires a request to a WordPress site via it’s IP address, while the attacker sets the HTTP request header to their own HOST value. Pagely does not allow direct access to WordPress sites via IP address and requires the HOST field sent in the headers to be the actual site being requested, thus a request with a HOST value controlled by an attacker will not be directed to a WordPress installation at Pagely.

Bonus Haiku:

Pagely hosted sites
are not affected by this
reported exploit.

For more details on the vulnerability and how it works, please read:

https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html


WordPress 4.7.3 Security Release

Mar. 6, 2017

XSS and more
bugs get patched in this release.
The update is done

  • Customer sites are being updated to address 6 security related issues.
  • Further details on the release can be found here: wordpress.org

CloudBleed, Shattered, CVE-2017-6074

Feb. 28, 2017

SHA One Collision
CloudFlare Leaking Memory
and Kernel Patching

Normally these Haiku’s are short and sweet, but it was a busy week for security in the headlines last week so I took a little more time to compile the following information for you:

The CloudFlare Bug (A.k.a. “let’s not call it CloudBleed”)

A security researcher working for Google’s Project Zero disclosed information on a bug identified in CloudFlare’s services. The bug was in CloudFlare’s services, and in some cases resulted in a trace amount of the contents of the CloudFlare’s servers memory being leaked. This could have had major repercussions as the contents of these servers may contain sensitive information being sent to or from the web server behind CloudFlare’s services (such as passwords, encryption keys, or other sensitive data.) Many news outlets reported this as a catastrophe, however CloudFlare patched it’s server’s before the announcement and there have been no reports of this being attacked in the wild before the report by the Project Zero researcher.

Key points include that the data being leaked was not controllable by the attacker (it was always random, including no ability for an attacker to target a specific site’s data). The data was also limited to small chunks. The leaks however, have likely been happening for a while,  no one knows how much data has been leaked to people looking for it or if any widespread attacks could have gleaned any usable data from the memory leaks. Ultimately, while it’s possible every password, SSL cert, and secret keys were pulled from CloudFlare server’s using this attack, it’s not likely to be the case. Most probably: the researchers at Google’s Project Zero were the first to be aware of the problem and reported it responsibly to CloudFlare. However, it is still yet to be seen if anyone reports malicious activity caused by these leaks in the weeks and months to come.

How could this affect you? If you utilize CloudFlare on your site (or utilized a service that used CloudFlare) and wish to be absolutely sure your private data (such as a password) is safe then you may want to be pro-active and change that password or other secret data.

The SHA-1 Collision: (A.k.a. “Shattered”)

A collision in the SHA-1 algorithm was reported by a different team at Google. SHA-1 is a cryptographic hashing algorithm, commonly used to validate the integrity of data being sent. The collision released by the team at Google showed that they were able to send two different messages but they both validated with the same SHA-1 value; ultimately meaning that data signed or verified using a SHA-1 algorithm can no longer be trusted. There is some good news however, this attack is fairly expensive to execute (over $100k) and SHA-1 has been on it’s way out for the better part of a decade. SHA-256 has already been established as the replacement and most people have already migrated to the more secure algorithm.

How could this affect you? If your site has SSL/HTTPS, then that certificate might be signed using SHA-1 , but it is probably already signed using SHA-256 (as of 2015) if you would like to double check you can always utilize a utility like ssllabs.com to look up your site’s SSL certificate and see what method is used to fingerprint it. If you find you are using SHA-1 only, then the fix is to get a new certificate (most likely whomever you purchased the certificate from will issue you a new one using SHA-256 without much hassle.)

Secondarily, if you developed your site’s code explicitly using the sha1 function, then you may wish to swap that sha1 function with the sha256 function.

CVE-2017-6074

While CVE-2017-6074 did not have a cool name or website or lots of media coverage; it was a more serious threat. This flaw could allow anyone with access to a Linux server to escalate their privileges from a normal user to root on the server.  Linux servers running up to date kernels (such as ours) were affected and we were very concerned about getting this patched for our customers. Luckily we have been updating our infrastructure and these kernel based vulnerabilities no longer require reboots to apply new patches. We applied a patch to address this vulnerability on the same day it was made available and noted no issue with the new kernel code running.


WordPress 4.7.2 Security Release

Jan. 26, 2017

Sites updating now
we handle the patch. So you
focus on your site.

  • Customer sites are being updated to address 3 security related issues.
  • Further details on the release can be found here: wordpress.org

CVE-2016-5195 “Dirty COW”

Oct. 26, 2016

We have sent many
email notifications
about the reboot.

  • Kernel patches have been applied on our servers, however a restart is required for it to take affect. Scheduled reboot notification emails have been sent out and reboots will take place the week of October 31st.
  • More information on the vulnerability can be found here: dirtycow.ninja

WordPress 4.6.1 Security Release

Sept. 12, 2016

The update happened
faster than I could write this
haiku about it.

  • All sites have been updated to address 2 security related issues.
  • Further details on the release can be found here: wordpress.org

httPoxy

Jul. 20, 2016

A pox on proxy
headers; that are misused by
some developers.


WordPress 4.5.3 Security Release

Jun. 21, 2016

WordPress 4.5.3
Several security
issues are addressed.

  • We are currently testing and rolling out this security update.
  • Further details on the release can be found here: wordpress.org

WordPress 4.5.2 Security Release

May 9, 2016

4 point 5 point 2;
Patch vulnerabilities
in cross site scripting

  • Updates on our platform are finishing up today.
  • Further details on the release can be found here: wordpress.org

CVE-2016–3714 “ImageTragick”

May 9, 2016

Image conversion
tragedy; is currently
patched by policy.


CVE-2016-2107 CVE-2016-2108

May 3, 2016

High Severity Vuln?
We patched openssl,
so you don’t have to.


Security Haiku: CVE-2015-7547

Feb. 19, 2016

Host lookup dangers?
No worry, we already
patched glibc


Which plugins and themes aside from display-widgets should you avoid? See our full list here.

0 Comments