Critical Flaw in WordPress LiteSpeed Cache Plugin Allows Hackers Admin Access
Summary:
A critical security vulnerability (CVE-2024-28000) has been identified in the LiteSpeed Cache plugin for WordPress, a widely used caching plugin with over five million active installations. This vulnerability, discovered by John Blackburn and submitted via the Patchstack Zero Day bug bounty program for WordPress, could allow unauthenticated attackers to gain administrator privileges on vulnerable WordPress websites. In a nutshell, CVE-2024-28000 makes it possible for an unauthenticated attacker to spoof their user ID and register as an administrative-level user, effectively granting them privileges to take over a vulnerable WordPress site. More technically, the vulnerability stems from a weakness in the plugin's user simulation feature, which utilizes a predictable random number as the seed for its security hash. This vulnerability is particularly concerning due to its potential for widespread exploitation and the significant consequences it could have for affected websites. It's important to note that the vulnerability cannot be exploited on Windows-based WordPress installations due to the hash generation function's reliance on a PHP method called sys_getloadavg() that's not implemented on Windows. WordFence Security has also released its own advisory for CVE-2024-28000 on August 21st, 2024, the same day as PatchStack.
Security Officer Comments:
The disclosure of CVE-2024-28000 in the LiteSpeed Cache plugin underscores the ongoing importance of maintaining robust cybersecurity practices, even for seemingly minor components of web applications like plugins. Given that this vulnerability was awarded the highest bounty in the history of WordPress bug bounty hunting, this critical vulnerability could cause detrimental damage to the integrity of WordPress sites. The vulnerability's severity is exacerbated by the plugin's widespread use and the ease with which it can be exploited by unauthenticated attackers. The underlying cause of the vulnerability, a predictable random number generator, highlights the criticality of ensuring the strength and unpredictability of values used as security hashes. Organizations utilizing the LiteSpeed Cache plugin should prioritize applying the necessary updates to mitigate the risk posed by CVE-2024-28000. The fully-patched versions of the LiteSpeed WordPress plugin are 6.4 and later. Version 6.4 was released on August 13, 2024.
Suggested Corrections:
To effectively mitigate and significantly reduce the attack surface for critical vulnerabilities like CVE-2024-28000 in software such as the WordPress LiteSpeed Cache plugin, organizations should implement a comprehensive approach that includes:
Link(s):
https://thehackernews.com/2024/08/critical-flaw-in-wordpress-litespeed.html
https://patchstack.com/articles/cri...espeed-cache-plugin-affecting-5-million-sites
https://www.wordfence.com/blog/2024/08/over-5000000-site-owners-affected-by-critical-privilege-escalation-vulnerability-patched-in-litespeed-cache-plugin/
A critical security vulnerability (CVE-2024-28000) has been identified in the LiteSpeed Cache plugin for WordPress, a widely used caching plugin with over five million active installations. This vulnerability, discovered by John Blackburn and submitted via the Patchstack Zero Day bug bounty program for WordPress, could allow unauthenticated attackers to gain administrator privileges on vulnerable WordPress websites. In a nutshell, CVE-2024-28000 makes it possible for an unauthenticated attacker to spoof their user ID and register as an administrative-level user, effectively granting them privileges to take over a vulnerable WordPress site. More technically, the vulnerability stems from a weakness in the plugin's user simulation feature, which utilizes a predictable random number as the seed for its security hash. This vulnerability is particularly concerning due to its potential for widespread exploitation and the significant consequences it could have for affected websites. It's important to note that the vulnerability cannot be exploited on Windows-based WordPress installations due to the hash generation function's reliance on a PHP method called sys_getloadavg() that's not implemented on Windows. WordFence Security has also released its own advisory for CVE-2024-28000 on August 21st, 2024, the same day as PatchStack.
Security Officer Comments:
The disclosure of CVE-2024-28000 in the LiteSpeed Cache plugin underscores the ongoing importance of maintaining robust cybersecurity practices, even for seemingly minor components of web applications like plugins. Given that this vulnerability was awarded the highest bounty in the history of WordPress bug bounty hunting, this critical vulnerability could cause detrimental damage to the integrity of WordPress sites. The vulnerability's severity is exacerbated by the plugin's widespread use and the ease with which it can be exploited by unauthenticated attackers. The underlying cause of the vulnerability, a predictable random number generator, highlights the criticality of ensuring the strength and unpredictability of values used as security hashes. Organizations utilizing the LiteSpeed Cache plugin should prioritize applying the necessary updates to mitigate the risk posed by CVE-2024-28000. The fully-patched versions of the LiteSpeed WordPress plugin are 6.4 and later. Version 6.4 was released on August 13, 2024.
Suggested Corrections:
To effectively mitigate and significantly reduce the attack surface for critical vulnerabilities like CVE-2024-28000 in software such as the WordPress LiteSpeed Cache plugin, organizations should implement a comprehensive approach that includes:
- Prompt Patching: The most immediate and effective mitigation is to apply the necessary security patches as soon as they become available. In the case of CVE-2024-28000, this involved updating to the latest version of the LiteSpeed Cache plugin. Regular patching ensures that systems are protected against known vulnerabilities.
- Vulnerability Scanning: Conduct regular vulnerability scans to proactively identify potential security weaknesses in your systems. Vulnerability scanners can help detect both known and unknown vulnerabilities, allowing organizations to address them before they can be exploited.
- Web Application Firewall (WAF): Deploy a WAF to provide an additional layer of protection by filtering and blocking malicious traffic. A WAF can help prevent attacks that attempt to exploit vulnerabilities like CVE-2024-28000.
- Regular Security Audits: Conduct regular security audits to assess the effectiveness of your organization's security measures and identify areas for improvement. Audits can help identify weaknesses that may have been missed by other security controls.
Link(s):
https://thehackernews.com/2024/08/critical-flaw-in-wordpress-litespeed.html
https://patchstack.com/articles/cri...espeed-cache-plugin-affecting-5-million-sites
https://www.wordfence.com/blog/2024/08/over-5000000-site-owners-affected-by-critical-privilege-escalation-vulnerability-patched-in-litespeed-cache-plugin/