Episode 116: Packagist Patch Shows How Supply Chain Threats Could Impact WordPress

A vulnerability discovered in Packagist, which is used by Composer to manage PHP package requests, could have allowed attackers to trick Composer into downloading backdoored source code, potentially affecting all WordPress sites. Packagist reports that it’s not aware of any exploits. A SQL injection vulnerability was patched in the CleanTalk AntiSpam plugin installed on over 100k sites. Vulnerabilities were discovered in Exim mail server, including 3 RCE vulnerabilities. We’re seeing some of the first trickle-down attacks from the Codecov supply chain attack, first from HashiCorp and then from Twilio. Apple releases iOS 14.5.1 to patch vulnerabilities in WebKit that are being exploited in the wild, a DDoS takes down Belgium, Peloton exposes customer information, and Signal taunts Facebook with a rejected advertising campaign.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
00:37 PHP Package Manager Flaw Left Millions of Web Apps Open to Abuse
03:22 SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin
06:11 21Nails: Multiple Critical Vulnerabilities in Exim Mail Server
09:01 Twilio discloses impact from Codecov supply-chain attack
12:40 Apple Is Having a Really Bad Time With iPhone Security Bugs This Year
15:04 Massive DDOS Attack Took Down Large Sections of a Country’s Internet
17:04 Data leak makes Peloton’s Horrible, No-Good, Really Bad Day even worse
18:27 Signal Wanted to Use Facebook’s targeted ads against it on Instagram
23:05 Wordfence K-12 Site Security Audit and Site Cleaning Program
23:30 Defiant is hiring

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 116 Transcript

Ram Gall:
Welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I am Ram Gall, threat analyst at Wordfence, and with me is director of marketing, Kathy Zant. Given the news stories today, I think the appropriate response is a nonstop drawn-out scream but we’ll get to that.

Kathy Zant:
Ahhh

Kathy Zant:
Is that right?

Ram Gall:
Ahhhhhhh

Ram Gall:
Yeah, kind of like that.

Kathy Zant:
Our transcriptionist is going to love that.

Ram Gall:
I am sure they will.

Kathy Zant:
Yeah, there’s a lot going on this week. When I first started looking at all of the stories that are happening out there, I was like, “Oh, wow, yeah, there’s … Oh my … Oh, oh my, there is a lot going on. This first story about this PHP package manager flaw left millions of web apps open to abuse. Now it wasn’t abused, this wasn’t something that was under attack in the wild, but the potential of what it could do was pretty significant. Ram, can you tell me a little bit more about what this was?

Ram Gall:
So. I feel like everyone pretty much collectively dodged a bullet here. So basically, everyone who does PHP development uses Composer. It’s a dependency manager for PHP. Basically what that means is that, you’re a developer, you want to include a library to do some cool stuff so you don’t have to write it yourself, but someone else on the same site might be using that same library. So this is a way to stop you from treading on each other’s toes.

Kathy Zant:
Okay. It uses something called Packagist, what’s this?

Ram Gall:
Yeah, so Packagist basically figures out the correct supply chain for package downloads, where to get what. Basically the Packagist infrastructure serves about 1.4 billion download requests a month.

Kathy Zant:
And it looks like SonarSource was the one that discovered a vulnerability that would allow attackers to execute arbitrary system commands on the Packagist server. How would this affect anyone using PHP and using Composer?

Ram Gall:
It is really fortunate that they caught it and patched it within 12 hours of disclosure, because an attacker actually using this kind of thing maliciously, they could have redirected package downloads to third-party servers, delivering dependencies using backdoors, or steal credentials. You remember that WordPress supply chain vulnerability that Matt Barry found and had Core patch?

Kathy Zant:
Yes. Yeah. That was quite a few years ago.

Ram Gall:
This would have been pretty much the same kind of issue, only instead of impacting just WordPress, it would have impacted most people with PHP, but also WordPress, because Core uses Composer. A lot of plugins that offer more than basic functionality use composer, this would have been like SolarWinds plus the Codecov thing, times a thousand, yeah.

Kathy Zant:
Wow, yeah. So some of the statistics in this article that was on The Daily Swig say that PHP run is running 80% of websites. And SonarSource estimated that about two thirds of these PHP projects use Composer. So this would affect all of WordPress, it would affect probably a number of other PHP-based content management systems. It could have had really dramatic effects for us in the web development world, that’s for sure. So we dodged a bullet, eh?

Ram Gall:
Yeah, we really dodged a bullet with that one. Speaking of which, I did find a pretty cool SQL injection vulnerability in the CleanTalk anti-spam plugin a little while back.

Kathy Zant:
You did. So, the CleanTalk anti-spam plugin is an over 100,000 WordPress sites. Tell me a little bit more about how you found this vulnerability and how it could have been exploited.

Ram Gall:
Okay. So basically CleanTalk records what IP addresses do, almost how we do, only they have more of a focus on spam comments and stuff like that. Anyways, whenever you visit a website, your browser sends a special string in the headers called the user agent. Basically it tells the website, “Hey, I’m running Firefox. Hey, I’m running Chrome. Hey, I’m running Chrome on mobile.” So, CleanTalk records that string. Problem is, it did so in a way that wasn’t super secure. So I found a way to inject SQL commands into that user agent string. Now, Chloe actually helped a lot with this. It took some doing to get an initial proof of concept to where I could just get basic commands run, but Chloe really filled that out and got the proof of concept, to a point where I could actually extract information from the database and stuff. It was amazing.

Kathy Zant:
Wow. So we put out a special firewall rule for this. Now we have, in Wordfence, the firewall does block SQL injection attacks, but this one had a specific way that could have caused an issue. So we had a special rule put in place in order to ensure anyone running this particular plugin, with this particular vulnerability was protected. We put that out, what, on March 4th?

Ram Gall:
Correct. Yeah, it turns out that their initial clumsy attempts to sanitize the input actually made it so we needed an extra rule for it.

Kathy Zant:
Gotcha, okay. Then all of the customers who are using Wordfence, the free version, they have had this protection since April 3rd, so for about a month. So this is a older vulnerability, but some time has passed to ensure that it couldn’t be widely exploited. So we did publish some details about how this works and we do that, why? So that we can educate other people who develop plugins for WordPress, so we can show them what types of vulnerabilities could be exploited. This is done so that we could elevate secure coding practices in the WordPress world, right?

Ram Gall:
Yeah and I mean, to be fair, this was not an easy vulnerability to exploit. There were a number of obstacles in place that made it more difficult to exploit, but that just goes to show that anything short of using prepared statements can often be bypassed when it comes to sending SQL queries.

Kathy Zant:
Interesting. So you can take a look at that post on our website. Now this next story is on Qualys website, on their blog, their research, and what did they find in the Exim mail server?

Ram Gall:
So a little bit of background, Exim is basically a mail server that runs on Linux computers. According to a recent survey, it’s installed on about 60% of all the servers on the internet.

Kathy Zant:
Oh wow. That’s a lot.

Ram Gall:
Yeah. Yeah, it is. It’s basically the default mail server on a lot of Linux machines. So Qualys found 21 vulnerabilities, including three remote code executions, and some privilege escalation attacks. So far they haven’t seen anything exploited in the wild, which is really good, but this is again, installed on 60% of the internet and that means that some of these servers are not going to be updated for a long time or ever. So I do think that we’re going to start seeing some knock-on effects from unmaintained servers being exploited for this vulnerability.

Kathy Zant:
Gotcha, okay. So let me ask you a question about a remote code execution and Exim. If this was possibly exploited, that would actually give the attacker control over just the mail server or the whole server?

Ram Gall:
So the mail server, when I say mail server, I basically mean just the thing that serves up mail running on the actual server. So in this case, by combining some of these vulnerabilities, someone could attack any server that happened to be running this mail server program and take it over. 60% of all the servers on the internet are running this mail server program.

Kathy Zant:
Okay. So, I bet you some malicious attackers are reading this blog post and figuring out how they’re going to do this, because this seems like it could have some major impact in the future. Something like what happened with the Exchange Servers, Microsoft Exchange Servers recently, where these became actively attacked and ruined a lot of weekends, I think for ops people.

Ram Gall:
Yeah, yeah. I think the main difference is that with the Exchange Servers, it wasn’t installed on nearly as many networks, but they were much higher value networks. They were largely corporate networks, whereas Exim is basically just installed on almost everything else. But on the other hand, that’s still millions maybe even … Yeah well, a Shodan survey showed that only like four million Exim servers were obviously exposed to the internet, but there’s got to be tens of millions more given that 60% number.

Kathy Zant:
Right, right. So if you are managing a server, just log in and see if anything needs to be updated. If Exim is there, definitely make sure that you’re updating because this is going to be attacked. These are going to be researched and we’re going to start seeing things probably in the not so distant future. Just kind of like what happened with Codecov, huh?

Ram Gall:
Yeah, yeah. So we were worried about this and apparently Twilio’s repository has got cloned and the attackers we’re able to at least breach customer emails. I guess the good news is that Twilio only used Codecov in a few of their systems, which meant that the attackers had limited access, but they were still able to use that access.

Kathy Zant:
Right, right. Just for some background, Codecov is a tool that people use to examine their code. It had an attack that started, what, in January? And they didn’t discover it until April. So someone was in those systems compromising over 29,000 customers’ code and their keys and credentials and whatnot. So we knew we would start seeing some trickle down effects from this. So we’ve got Twilio. Then you said there was actually another disclosure that happened with HashiCorp?

Ram Gall:
Yeah. HashiCorp, the company that makes Vagrant. I actually use it to manage virtual machines for test environments. But I guess their private key that they use to sign their software got compromised in the attack. So they had to cycle that out, which is really scary though, because if an attacker has that, they can sign a package and it’ll look legitimate. That was actually like the thing that made SolarWinds undetected for so long, is the attackers managed to sign the malicious SolarWinds programs, or the malicious Orion package, that’s why it didn’t get found for forever.

Kathy Zant:
Right, and a signed package, for the uninitiated that basically means that it’s been digitally signed. There are secure markers there that says, “Yes, this is actually the software,” but because of the supply chain attack effect of this, there’s someone behind that who’s actually doing that signing with the keys that make it look legitimate and it’s not. did I describe that?

Ram Gall:
You described that perfectly, and we actually did a Wordfence Live stream about this topic a few weeks ago if any of you listeners want to go check it out. But what this does show is that the attackers behind Codecov are definitely using the information to pivot into some of the impacted systems and taking it further, which is what we are afraid of. So, this is probably not the last we’re going to hear of this.

Kathy Zant:
Right, and when we first did that live stream, it was kind of like, “Well, are people really going to understand how big this really is?” Because, I mean, you’re developing WordPress sites and your Wordfence is there protecting your site and everything and, “What is this Codecov? What does this have to do with me?” Has everything to do with so many of us, even if you think it doesn’t because of the trickle down effects … and we’re seeing that happen now. So you might want to go back as Ram suggested and take a look at that episode and really understand what happened. Basically, what I take from that is that we need to start thinking about our security, not in terms of what we’re going to do if we get hacked, but when we get hacked, or when we have a security issue and plan for that security issue, like it actually is going to happen so that you have some kind of plans in place for continuity of your business. Plans in place to restore from a backup and being able to determine when the actual last good backup of what you want to restore is. Having all of those plans in place for your business, whether it’s just for your WordPress site or for all of your systems, really, we just need to start thinking about security in a different way.

Ram Gall:
Yeah. I mean, we really do. I mean, this year is the year of all the security issues impacting everyone. Even Apple’s having a bad time, they just released a new emergency patch to fix two vulnerabilities that were being exploited in the wild for iOS. I think it was in WebKit, or specifically the version of WebKit that gets used in Safari. But again, these were being actively exploited. I mean, there are a number of vulnerabilities and mobile operating systems that might be known of by governments and private vulnerability brokers. But at this point, once they’re being actively exploited in the wild, that means that someone else has gotten a hold of them and started actually attacking them without being worried about burning them. So in a way, that’s really bad, but in a way that’s also really good because it means they’re getting patched because those vulnerabilities were there the whole time. It’s just that now we know, and now they’re fixed.

Kathy Zant:
Yes, yeah. So I mean, security, it’s become one of those things that it’s not just for security professionals. Security is not just for Ram and Chloe to go find vulnerabilities. Security is for everyone. That’s one of the reasons why we do Wordfence Live, why we do the podcast, why we do put such an emphasis on education and information as a part of security, because in order for these types of things to be addressed, you have to be armed. You with an iPhone in your hand, you need to know that iOS 14.5.1 is out and you should apply that as soon as possible. That’s not something to wait on because these are being actively exploited and security is part of your job, whether you like it or not these days, huh?

Ram Gall:
Yeah. I mean, I understand that doing vulnerability research and reading through lines of code is not going to be everyone’s cup of tea ever, and that’s okay. But I don’t think it’s unreasonable to yet be able to say, “Oh hey, there’s an update. I should make sure that my auto updates are turned on,” and hope that there’s no supply chain attacks in the auto updates. Anyways, yeah, there’s no real winning, but there’s still better and worse.

Kathy Zant:
It’s part of your job, whether or not you are fabulously rich and famous and you don’t really have job. You still, if you have a device in your hand that you’re using to connect to the internet in any way, shape or form, security is part of your job. It’s not something you can just like kick down the road. It’s something you have to stay on top of.

Ram Gall:
Yeah, speaking of staying on top of it, it looks like Belgium had a bit of a problem with staying on top of keeping their internet up.

Kathy Zant:
Oh no, not Belgium. I like Belgium. They make good waffles.

Ram Gall:
And fries.

Kathy Zant:
And fries. Yeah, I’m all about the food, although it is lunch hour here. So what exactly happened? It looks like a distributed denial of service attack took down 200 organizations across Belgium, all of their websites?

Ram Gall:
Yeah. So I guess it targeted Belnet, which is their government-funded ISP, which basically provides internet access to their educational institutions, research centers, scientific institutes, government services. The good news is that it looks like the attackers were purely going for disruption. I guess they didn’t use it as a distraction for doing a data breach, or stealing any information, or changing anything, or infiltrating network. They just took down the network.

Kathy Zant:
So they could say that they took down the network. Are we back to that again?

Ram Gall:
It’s unclear who was behind it, but it’s not uncommon for attackers providing these kind of services to do a proof of concept to show, “Hey, you want to hire us? We’re the people who were able to take down all of Belgium’s ISP.”

Kathy Zant:
Right, that is a service that exists. I don’t know if it’s on the dark web, or where people buy DDOS but-

Ram Gall:
Yeah, dark web.

Kathy Zant:
Is that where people buy it?

Ram Gall:
Yeah, DDOS as a service and you use it to distract people while you’re going in to infiltrate or steal other information.

Kathy Zant:
Because you know all of the security personnel are being hollered at by someone to get the network back up and so then all of their attention goes there. So it’s one of those look here, not there type of situations?

Ram Gall:
Yeah but I do want to say that even even if the motive seems to be reputation, that reputation is still going to be in the service of making money these days.

Kathy Zant:
Sure, it all comes down to the money, it does.

Ram Gall:
It’s a marketing exercise for whoever did this.

Kathy Zant:
Speaking of exercise marketing, Hey, let’s talk about Peloton. I love that transition.

Ram Gall:
Oh, I see what you did there. So apparently Peloton’s API, basically their web interface exposed all kinds of user data, like user age, gender, how fit they were, how much they weighed, and apparently another piece of data that they’re not telling us about because it still hasn’t been fixed. But yeah, researchers apparently disclosed this to Peloton three months ago and they still haven’t fixed all of it. So yeah, great.

Kathy Zant:
Oh boy, they’ve had recalls with treadmills and all sorts of things. This is a company that has had a lot of issues and it looks like the fact that they’re taking three months to fix flaws that are exposing actual personally identifiable information of their customers is frightening. Maybe I’ll just go for walks or exercise instead of-

Ram Gall:
Yeah and maybe skip the Fitbit. You never know who’s … Oh yeah, you remember at that thing a few years ago where they discovered secret military bases based on the GPS activity of Fitbits?

Kathy Zant:
Yes, yes.

Ram Gall:
So fitness trackers are just generally a privacy nightmare. Speaking of privacy nightmares.

Kathy Zant:
Facebook. Let’s talk about Facebook. Facebook is the ultimate. They’re like the king of privacy nightmares. So it looks like Signal, which is basically a messaging app that is known in the security community as being the most secure way to communicate. Although, it’s still a system that’s-

Ram Gall:
Apart from the fact that they tell everyone you know, when you sign on for the first time, it’s like, “Hey, guess what? Ram, just got on Signal.” It’s like, “Thanks Signal. I’m glad I’m not a dissident.”

Kathy Zant:
The worst is when they tell … It’s like you sign on and it’s like, they tell everyone that you might be in their contacts list from years ago. It’s like, I don’t want some parent of my children that I haven’t talked to in five years to necessarily know I’m on Signal. They don’t need to know. But yeah, that’s always a little uncomfortable, but they decided to make things a little uncomfortable for Facebook. So, Facebook-

Ram Gall:
Yeah, they bought some Instagram ads, right?

Kathy Zant:
They did, they bought some Instagram ads. If you look at these Instagram ads, this article came from Engadget that we were looking at, these Instagram ads were hilarious because they basically exposed how much information Facebook and Instagram, which is part of Facebook, has about individual users. So one of the ads are, “You got this ad because you’re a newlywed, Pilates instructor and you are cartoon crazy. This ad used your location to see you’re in La Jolla. You’re into parenting blogs and you think about LGBTQ adoption.” It’s like, “How do you know this?” Well, they know it because that’s what Facebook and Instagram know about you as you use their platforms. Now, Facebook-

Ram Gall:
Remember, if it’s free, you are the product.

Kathy Zant:
Exactly.

Ram Gall:
Wait, Signal is also free. What does that mean?

Kathy Zant:
(Singing), we may have uncovered something.

Ram Gall:
(Singing).

Kathy Zant:
Anything that’s free. Yeah, definitely, you are the product. Your information in this case is the product and Signal is … These ads were disallowed by Facebook. Now, they would have been disallowed, I think on Instagram anyway, me being in marketing, I know that verbose text ads just don’t work on Instagram. We as a company, don’t do Instagram ads, but I have in the past and they want something visually appealing and big text ads are rejected by Instagram anyway, but everything got very spicy and dramatic with Signal and Facebook because-

Ram Gall:
Well, Moxie Marlinspike does like stirring the pot. That’s the guy behind Signal. Do you hear about that thing the other day, where he decided to announce that he was putting malware binaries in case law enforcement try to decrypt your phone and crack Signal? One of the, okay, this was not actually a planned thing, there’s a company that makes hardware that law enforcement uses to crack open locked iPhones and locked Android devices. He found a couple of exploits in this hardware and …

Kathy Zant:
Nice.

Ram Gall:
Yeah, it was a whole thing.

Kathy Zant:
I love these kind of stories because it, it, it shows just the dynamic nature of the internet and how information desires to be free and how there needs to be this free flow. It exposes privacy concerns. It exposes control and surveillance kind of concerns and just brings it all out in the open because the thing is, as our privacy is diminished in this open world, so is the privacy of surveillance states. So is the privacy of the CIA, the FBI, all these three letter organizations that are doing spy types of things and are looking-

Ram Gall:
Information wants to be free and that is a wonderful and a terrible thing because it also means that all of your private information wants to be free too.

Kathy Zant:
Yes, but it means all of the people who want to do bad things, their information is free too and everything kind of comes to light. If you look around, you can see that, there’s a leveling of the playing field of information and it opens up interesting opportunities and I’ll leave it at that. I’m off my soap box.

Ram Gall:
Indeed. Well, we did spend a little bit of time on soap boxes because it’s Facebook and Instagram. That’s the best of soapboxes.

Kathy Zant:
Yeah, that’s why we couldn’t pass up the story. But I think that’s it. We do want to mention that we are still offering free site cleaning and site auditing services for K-12 schools worldwide. If you know of a school that could use that service, please let them know. We will have a link in the show notes so you can send that to them. Anybody is having issues with WordPress security, we are there to support them. For the K-12 public schools especially, we do this for free. We would also like to mention that we’re hiring. Earlier this week, Mark did a great Wordfence Live episode, where he talked about the truly remote philosophy that he and Kerry, his wife and co-founder have, and how Wordfence and Defiant is such an amazing place to work. So we have a number of roles available, security operations, PHP developers, QA, quality assurance, as well as a senior researcher for website performance. So go take a look there, defiant.com/employment, and you can see all of our amazing benefits there as well. How’s that coffee maker working for you?

Ram Gall:
It is pretty amazing. I make two pots of coffee a day now, instead of just one, which is, well …

Kathy Zant:
Highly caffeinated Ram is a fun thing in my mind.

Ram Gall:
I’m a menace. I’m a menace now.

Kathy Zant:
You’re an entertaining menace to me, but you’re amazing at the work you do. And to keep you caffeinated and happy is amazing as well. So if you want to come work with Ram, me, Chloe, Scott, Tim, Adam, there’s about 40 of us now, including all of the contractors, we’re having a great time and we’re keeping the world safer in the WordPress space, and we’d love to work with you. I guess that’s it, you want to talk again next week?

Ram Gall:
Yeah, yeah. We’ll see you all next week and bye for now.

Kathy Zant:
Bye-bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 116: Packagist Patch Shows How Supply Chain Threats Could Impact WordPress appeared first on Wordfence.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Tap To Call