WordPress version 4.8.3, released Oct. 31, fixes a serious security issue that could result in SQL injection attacks. Details about the vulnerability are now public, so attacks could soon follow.
“If you haven’t updated yet, stop right now and update,” Anthony Ferrara, VP of engineering at Lingo Live and the researcher who identified the flaw said in a blog post.
According to the WordPress developers, the vulnerability exists in the behavior of the $wpdb->prepare() function and can lead to SQL injection attacks. This function is used in WordPress to prepare an SQL query, which can be built from user input, for safe execution. WordPress 4.8.2 and earlier versions are affected.
In its advisory, WordPress claims the flaw does not affect the core platform directly, but that the platform was hardened to increase the security of plugins and themes. However, Lingo Live’s Ferrara contends that the flaw does stem from WordPress’ core code, particularly from the fact that the system allows passing user input to the prepare function, which he argues is insecure by design and should be disallowed.
“The best path forward would be to switch to PDO/MySQLi [APIs for communicating with databases] and use real prepared statements and not emulate them in PHP land,” Ferrara said. “If that’s not acceptable, then at least move to a statement object style system where prepare returns an object which is then executed.”
This would make it impossible to “double prepare” a string, which can result in vulnerabilities. The method has already been adopted by other platforms such as phpBB to significantly reduce the risk of SQL injection.
“These changes won’t prevent misuse, but it will make it far harder,” Ferrara said. “It will make the default usage secure making developers go out of their way to make it insecure (where today is precisely the opposite).”
That’s a risky move fraught with potential frustration for users, however, as it would break a lot of existing plug-ins and other customizations that WordPress publishers rely on for their websites. So the transition can be made in time, when a new API can be offered along with the current system until it’s slowly being deprecated.
Either way, there looks to be no painless path forward, because fixing issues with the current prepare mechanism also require changes that break third-party code. In fact, Ferrara started looking at this problem after WordPress 4.8.2 added a fix for a prepare-related SQL injection issue and that patch ended up breaking many websites. He then realized that the fix was incomplete and that other exploit scenarios were still possible.
Ferrara claims that he tried, initially without much success, to get the WordPress team to properly fix the underlying vulnerability since Sep. 20. After allegedly ignoring and closing his report in the first several weeks, the WordPress team eventually started working on measures to remediate the flaw after Ferrara threatened full disclosure.
After back and forth with WordPress developers, who didn’t seem to understand the full scope of the problem, they proposed yet another incomplete fix. Eventually, a security team member with the right knowledge came along as Ferrara was preparing to go public with the vulnerability details.
“It became clear to me that releasing a partial fix was worse than no fix (for many reasons),” Ferrara said, in a blog post that includes the full disclosure timeline. “So I decided the only way to make the team realize the full extent was to Full Disclosure the issue. I started the process of going public by asking for Hosts and Plugin Developers to reach out to me so that we could coordinate the release. During the planning steps of the FD, the WP team started constructive discussions again.”
The resulting fix also breaks some websites, because it changes the behavior of the esc_sql() function. On this comment thread, third-party developers are reporting difficulty making their older code to work with the new behavior.
Ferrara said he understands that many of the WordPress developers are volunteers, but thinks it’s a problem that a content management system that powers a quarter of the websites on the internet isn’t staffed with full-time security personnel.
“Volunteers are amazing and can only do so much,” he said. “At some point, it comes down to the companies making money off of it and not staffing it that are ultimately the biggest problem.”
New Boot-Level Ransomware Used to Cover Targeted Attacks
Security researchers have found a new ransomware threat that encrypts hard-disk drives during a computer’s boot stage. The researchers believe the ransomware was likely used to destroy evidence as part of a more elaborate hacking operation that struck organizations in Japan.
The Japanese attacks occurred over at least nine months and began with spear-phishing emails that carried Microsoft Office documents that attempted to install Ammyy Admin, a legitimate remote access tool (RAT), according to researchers from security firm Cybereason.
Ammyy Admin was also used in earlier attack campaigns, possibly perpetrated by the notorious Carbanak group, against financial institutions. At one point even the Ammyy Admin developer fell victim to a supply-chain attack that resulted in a trojanized version of the RAT being distributed from its official website.
Cybereason researchers believe the group behind the recent Japanese attacks used Ammyy Admin and other hacking tools to harvest credentials, move laterally through the compromised networks and gain access to domain controllers.
“We suspect that the threat actor used the NSA-leaked exploit EternalBlue, in conjunction with other tools to spread throughout the network,” the researchers said in a blog post. “Due to the data corruption and robust log wiping, it cannot be confirmed with absolute certainty; however, it was found that the MS17-010 security update (released in March 2017) was not installed on the compromised machines at the time that attacks took place (July-September 2017).”
The ransomware component was deployed only in the final stages of the attack when the hackers were probably seeking to destroy traces of their activity. On most computers, the hackers installed a typical user-mode ransomware program dubbed ONI, but on a few critical systems such as domain controllers, attackers deployed a boot-level ransomware program that encrypted the entire hard disk drive.
This more advanced ransomware program has been dubbed MBR-ONI by the Cybereason researchers and is based on the legitimate open-source disk encryption tool DiskCryptor, which was also used as part of the recent Bad Rabbit ransomware attacks.
“Classifying ONI and MBR-ONI merely as ransomware leaves some open questions regarding the observed attacks,” the researchers said. “There’s enough evidence to suggest that ONI and MBR-ONI worked more like [a] wiper attempting to cover up an ongoing hacking operation by destroying data instead of a ransomware attack that encrypted files.”
The researchers believe ONI and MBR-ONI point to a concerning global trend in which ransomware is used with other motives in targeted attacks by cyberespionage groups or nation-states rather than cybercriminals looking to make money. Like the data wipers before them, ransomware programs can be used to destroy evidence or intentionally cause disruptions to business operations.