The content management system (CMS) used by many websites WordPress distributes important updates since version 3.7 from 2013 fully automatically. A majority of CMS users use this feature, which is enabled by default if the hosting environment of the WordPress installation allows it – which is likely to happen in almost all new installations today.
Security advocates rate AutoPress updates as extremely positive, as they at least keep the core functionality of the software up-to-date with the latest security updates, without the user having to worry about it.
However, the feature also poses a significant risk: if an attacker were able to take control of the WordPress servers, he would have been able to install malicious code using the feature in one fell swoop on millions of heavily visited websites. With the now released update to version 5.2, the developers put a stop to this scary attack scenario.
For years narrowly missed the Super GAU
According to research, more than a third of the 10 million most visited websites on the net run on WordPress. Most of them will have automatic updates enabled. An attacker who gains control over the developers’ update servers could have taken control of millions of well-visited sites in one fell swoop.
Read More Stories: Deepdotweb: Darknet directory down, arrested operators
Such an attack scenario is not as far-fetched as one might think. Similarly, in 2017 hackers had caused huge damage to the European economy by distributing the NotPetya Trojan via the update servers of the Ukrainian control software MeDoc. And as early as 2016, the security company Wordfence had discovered a vulnerability in the update mechanism of the CMS and reported to the WordPress developers, which would have made an attack on WordPress possible.
Another security company called Paragon Initiative has been working for years to close this vulnerability in WordPress with the help of CMS developers. In a two-year bug report from the company in the WordPress bug tracker, it says: “At the moment, an attacker who compromises api.wordpress.org may release a fake WordPress update and gain access to all WordPress installations on the Internet It’s now two minutes to twelve (it was one minute to twelve, but then Wordfence security researchers found this vulnerability). ” Two years after the bug report by the Paragon Initiative, the WordPress developers have now implemented their original recommendation and the WordPress updates cryptographically secured.
Read More Stories: Hackers have managed to steal 40 million dollars in Bitcoin to Binance
Offline Digital Signatures
From the current version 5.2 WordPress uses so-called Offline Digital Signatures to secure the auto-update packages. Every WordPress installation receives a public key with the update, with which it can check the digitally signed WordPress update files in the future.
The files are signed with a secret key that only the core developer team of WordPress has access to and that can not be found on the web servers of the project. This is to prevent attackers who gain access to the update servers from outside who can distribute their own code to WordPress users. Since they do not have the secret key of the developers, they can manipulate the update packages distributed from there with access to the API server.
Read More Stories: Apple study: App usage indicates cognitive decline
With the first update after version 5.2 WordPress will only issue a warning to the administrator of the installation (soft fail), if the signature of an update is not correct. From the following version updates without valid signatures will then no longer be installed (hard fail). Details on this process are described in the Paragon Initiative in a detailed blog entry on the subject, As a byproduct of the new feature for the core developers, plug-in developers can now use the crypto-library sodium_compat, which comes with WordPress 5.2 and builds on the cryptography API Sodium, which in turn is based on the NaCl library of the crypto expert Daniel J. Bernstein and Tanja Lange is based. Sodium has replaced the mcrypt library with current versions of PHP, which is still used by many WordPress plug-ins but abandoned by their original developers over ten years ago and is no longer being updated.
The new digital signatures for WordPress updates are not a groundbreaking invention and have been state of the art in other software systems for years. They also do not completely protect websites that use the CMS from attack by the developer’s server API. If their secret key were lost, an attacker could still orbit malicious update code.
Even such attacks have been observed in the past with other software. However, the new signatures are an important step in the right direction and significantly complicate attacks on users of by far the most popular Web CMS. They make it a lot harder to hijack a third of the most popular websites on the net at one go.