Questionable patching on the part of the WordPress CMS team has caused lots of headaches for WP site owners this week.
A basic maintenance version released on Monday —WordPress 4.9.3— a release meant to fix basic bugs caused huge problems for WordPress site owners by breaking the automatic update mechanism that upgrades WordPress sites in the background, without user interaction.
The WordPress team was forced to release an update the next day —WordPress 4.9.4— to fix the issue introduced on Monday, and restore the background updates system.
Unfortunately, since the background update system was down, this means that all WordPress site owners running v4.9.3 will need to visit their site's admin panel and trigger the update by hand.
No fix for CVE-2018-6389 zero-day
But neither v4.9.3 and v4.9.1 fixed a vulnerability reported by Barak Tawily —CVE-2018-6389— a bug that causes a Denial of Service (DoS) state for WordPress sites.
The issue affects all WordPress versions, including WordPress.com installations, which means that miscreants can crash more than a quarter of all Internet sites just by running a simple script.
Exploit code to leverage this bug has spread quickly on the Internet, and proof-of-concept exploits that can down servers are available online in several places [1, 2].
According to DDoS mitigation provider Imperva, attacks have already taken place, and the number of incidents is expected to grow as more threat actors learn of the issue.
"Until today (February 6, 2018), we have only seen a few dozen exploit attempts using this vulnerability, but we might see a steep rise in attacks using this exploit due to the popularity of the platform, unless a mitigation will be applied in the near future," said Imperva engineers Johnathan Azaria and Koby Kilimnik.
Below is a simple explanation for the bug from the same Imperva team, who double-checked and confirmed Tawily's fndings:
WordPress team deferred patching to server providers
Tawily said he tried to notify the WordPress team of the flaw, but developers chose not to fix the issue.
"This kind of thing should really be mitigated at the server or network level rather than the application level, which is outside of WordPress's control," the WordPress team responded, according to Tawily.
The researcher released a shell script that patches the flaw until the WordPress team changes heart and adds a fix to WordPress itself. The Bash script gives only admins the permission to send requests to the vulnerable modules and removes the ability to query the vulnerable modules from the login page. There is also a way to fix this with mod_security.
Tawily also released a YouTube video demoing his DoS bug:
Comments
dmchale - 6 years ago
4.9.3 was released Monday, which contained the update bug. Version 4.9.4 was released the next day to fix the issue.
Your versions numbers are off in the first paragraph (3 references), AND after the subheading when you suddenly jump back yet another release, referencing 4.9.2 and 4.9.1 (which should again be 4.9.4 and 4.9.3, in context)
Thought you'd want to know so that you could fix the article, otherwise this is confusing and misleading to a site owner who is going to use these numbers to compare to what version they may be running.
campuscodi - 6 years ago
Oh yeah. I f***ed that up big time. Fixed. Thanks!
dmchale - 6 years ago
you got it
Occasional - 6 years ago
CC, do you have a way to report typos, etc., besides posting a comment or through your contact info? I take it the "Report" feature is just to flag out-of-bounds abuse.
We realize you guys have to crank out a lot of copy each day; and even a small error can change the whole intent. Some mistakes are obviously just that - other times, we're not sure.
campuscodi - 6 years ago
Via my email is probably faster.
GT500 - 6 years ago
This sounds like it's an issue with permissions set on files. Did WordPress at least update their documentation to recommend different permissions settings?