Recently, a critical vulnerability within the popular LiteSpeed Cache WordPress plugin, threatening the safety of over 5 million active installations worldwide has come to light. This critical flaw assigned the identifier CVE-2024-28000, enables unauthorized attackers to increase their privileges and gain administrative access. This article gets into the complications of this vulnerability, its potential consequences, and the crucial steps website owners must take.
The Vulnerability’s Origins
The vulnerability’s roots can be traced back to a user simulation feature within the LiteSpeed Cache plugin, designed to facilitate site crawling and cache pre-population. Ironically, this functionality intended to enhance performance inadvertently introduced a significant security risk due to a weak security hash mechanism protecting the feature.
Weak Security Hash
At the core of the vulnerability lies the plugin’s reliance on a flawed security hash generation process. This hash, meant to safeguard the user simulation feature, suffers from several critical shortcomings that render its possible values predictable and known:
- Non-cryptographic Random Number Generation: The random number generator employed to create the security hash is seeded with the microsecond portion of the current time, resulting in a limited range of only 1 million potential seed values.
- Lack of Salting and Request-Specific Binding: The security hash is generated once and stored in the database without any salting or connection to a particular request or user, remaining static indefinitely.
- Deterministic Nature: Due to the non-cryptographic random number generation and the absence of salting, the “random” values produced by the generator are fully deterministic, given the known seed.
Consequently, with only 1 million possible hash values, all of which are known and identical across environments and websites, the security mechanism becomes alarmingly vulnerable to brute-force attacks.
Vulnerability: A Step-by-Step Breakdown
The exploitation process begins with triggering the generation of the security hash, even when the plugin’s crawler feature is disabled. Remarkably, an unprotected Ajax handler within the plugin allows any unauthenticated visitor to initiate this process, effectively rendering all LiteSpeed Cache installations susceptible.
Once the hash is generated, an attacker can launch a brute-force attack by iterating through the known 1 million possible hash values and passing them in the litespeed_hash cookie, along with the target user ID in the litespeed_role cookie. By sending POST requests to the WordPress REST API’s /wp/v2/users endpoint, the attacker can create a new administrator-level user account upon discovering the valid hash value, indicated by an HTTP 201 response status code.
Strengthening Security Measures
In response to the reported vulnerability, the LiteSpeed team implemented several security enhancements in version 6.4.1 of the plugin:
- Additional Hash Validation: The plugin now validates the hash value from the async_call-hash option in the Router::async_litespeed_handler() function.
- One-Time Hash Usage: A new litespeed_flash_hash value was introduced, serving as an additional hash check with a time-to-live (TTL) of 120 seconds, preventing reuse.
- Increased Hash Length: The length of the async_call-hash, litespeed_flash_hash, and litespeed_hash values has been increased to 32 random characters.
- Crawler Role Simulation Enhancements: For crawler role simulation, the plugin now generates a new hash for each crawl, and upon successful validation, stores the requesting IP address for subsequent validations.
While these measures significantly enhance the plugin’s security posture, further improvements, such as implementing the hash_equals function for constant-time comparison and utilizing a more secure random value generator like random_bytes, have been recommended to the LiteSpeed team.
Lessons Learned
This vulnerability serves as a clear-cut reminder of the critical importance of adhering to secure coding practices, particularly when dealing with security-related features like hashes and nonces. The rand() and mt_rand() functions in PHP, while suitable for many use cases, are not sufficiently unpredictable for security-sensitive applications.
Hash validation should also employ the hash_equals function to prevent timing attacks, and hashes should have an appropriate length, with a minimum of 32 characters recommended. Furthermore, sensitive Ajax actions must always implement robust authorization checks to mitigate potential vulnerabilities.
What’s the key to a secure WordPress ecosystem?
The discovery and responsible disclosure of this vulnerability highlight the importance of the collaboration of security researchers and WordPress plugin developers. Initiatives like Patchstack’s WordPress Bug Bounty program and the mVDP (Managed Vulnerability Disclosure Program) for plugin developers foster a cooperative environment, enabling the timely identification and patching of vulnerabilities.
By working together, the WordPress community can proactively address security risks, safeguarding the integrity of millions of websites and ensuring a safer online experience for users worldwide.
Update Immediately!
For users of the LiteSpeed Cache WordPress plugin, the urgency of updating to version 6.4.1 or later cannot be overstated. Failure to do so leaves websites vulnerable to potential exploitation by malicious actors, putting sensitive data and website integrity at risk.
Furthermore, users are encouraged to explore security solutions like Patchstack, which offers instant mitigation of vulnerabilities through its free and paid offerings, starting at $5 per month.
In conclusion, the critical vulnerability in the LiteSpeed Cache WordPress plugin serves as a sobering reminder of the ever-present need for vigilance and digital proactive security measures. By adopting secure coding practices, fostering collaboration between developers and researchers, and promptly addressing identified vulnerabilities, the WordPress community can collectively fortify the ecosystem, safeguarding websites and protecting users from malicious threats.
