“All your WordPress are belong to us”

A severe bug reported in WordPress 4.9.3 is getting greater coverage, due to a faulty auto-update feature.

For several years now, WordPress has included an auto-update feature – since version 3.7/October 2013 in fact. The CMS can pull down an update via HTTPS of the latest release of WordPress, and automatically unpack and install a minor release. Note however that WordPress will not update major releases (such as moving from version 4 to version 5).

In principle this is a useful feature, particularly for users that are not tech savvy. Frequent scanning for vulnerable CMS sites is a common occurrence. Automated scanning is unfortunately easy to do, cheap and can provide a home for malware that could be pulled down by exploited targets, making exploited sites unwitting mules in broader cyber attack campaigns.

There are other, less obvious consequences. The first is that risk is not eliminated, but manifests itself in a different form—as we see in many aspects of information security. In the case of the WordPress auto-update process, the integrity of the update source (api.wordpress.org) becomes more critical.

Over 27% of the web is powered by WordPress, and the default behaviour of the WordPress code is to retrieve updates from the aforementioned server.

All WordPress installations will trust the update URL and SSL/TLS, and perform no signature checks of the download. It simply gets installed. Compromise the server and 27% of the web could be compromised – a serious concern.

Does that sound far-fetched? Seemingly not, as WordFence discovered just such a vulnerability in November 2016. Reporting via HackerOne to WordPress, they received some high praise and a bounty for the discovery of a vulnerability within the code sync capabilities on wordpress.org.

Some weak hashing and intricate investigate work allowed them to demonstrate a hack of api.wordpress.org was not only feasible but could deliver significant returns for a nefarious hacker.

These kinds of compromise have other serious potential as well. As WordFence note in their report, as well as impacting 27% of the web, malicious updates could of course disable any future updates. This underlines the fragility of these kinds of update mechanisms (and the need for out of band update channels).

It’s not just potential flaws in update servers that could be an issue. In February it was found that version 4.9.3 of the WordPress CMS introduced a bug that caused a fatal error when WordPress attempted to use its automatic update process. This was caused by human error. The effect being that once installed, this version never automatically updates again, bailing out in the process. The only solution is to initiate a manual update to the latest version.

It’s not clear how much of the WordPress installation base is affected by the 4.9.3 bug, but those in a position to do something are taking steps. Google have recently, through Search Console, started notifying web site owners to inform them of the need to update WordPress.

Aside from increasing the potential for a core update server to be exploited, automatic updates can lull CMS users into a false sense of security. Managed CMS solutions still make sense as a consequence. As much as humans in the loop can inadvertently cause issues in automatic updates, humans in the cyber security loop are needed in the same way to ensure sanity prevails.