Think Like a Hacker Episode 95
Wordfence Author
November 13, 2020

Episode 95: Critical Privilege Escalation Vulnerabilities Affect Over 100K WordPress Sites

Three critical privilege escalation vulnerabilities in the Ultimate Member plugin put over 100,000 sites at risk. We also talk about the Page Experience metric to be added as a ranking signal for Google search in May 2021 and what this means for WordPress sites using page builders or Gutenberg.

Microsoft warns against using telephone/SMS-based multi-factor authentication, and two zero-day vulnerabilities were patched in Google Chrome. Microsoft Windows patches over 111 vulnerabilities as a part of November’s Patch Tuesday.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:44 Critical Privilege Escalation Vulnerabilities in the Ultimate Member Plugin
4:42 Are WordPress Websites Ready for Page Experience as a Ranking Signal?
10:40 Google Patches 2 More Chrome Zero Days
12:39 Intel SGX defeated yet again—this time thanks to on-chip power meter
16:09 Microsoft urges users to stop using phone-based multi-factor authentication
20:37 Microsoft November 2020 Patch Tuesday Arrives with Fix for Windows Zero Day

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 95 Transcript

Kathy Zant:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I’m Kathy Zant, Director of Marketing here at Wordfence. And with me, my cohost-

Ram Gall:
Ramuel Gall. I am a QA Engineer and Threat Analyst at Wordfence, and yes, we are hiring. Would you like to work with us? Because we’re awesome.

Kathy:
We are awesome. And we have a number of positions available. If you go to wordfence.com, scroll to the footer and click on careers, you can see them. I think our most desired position right now that we are hiring for is a security operations, senior engineer type of person. So if you like operations and playing with servers and all of that fun stuff, and you think security is awesome, we would love to talk to you. We have some interesting stories. What’s our first one, Ram?

Ram:
Well, this one was one of Chloe Chamberland’s finds. It was a critical, or actually three critical privilege escalation vulnerabilities, in the Ultimate Member plugin, which is installed on 100,000 sites.

Kathy:
It is. It looks like she discovered this on October 23rd, and that’s when Wordfence Premium customers received their firewall rules. Tell me a little bit about some of these vulnerabilities. It looks like a user registration form lacked some checks.

Ram:
Yeah. So effectively for two of them, the main problem was that by default, Ultimate Member creates a registration page where people can sign up to your website. Unfortunately, it also used a function that just grabbed whatever you submitted for the role selected, or the capabilities selected, or the user level you selected, and just added that into the new user’s information. So if you sent it a request, if you basically capture the request when you registered the forum, and just added, “Hey, I want to be an administrator,” to that request, then it would make you an administrator.

Kathy:
Oh. So just anyone running Ultimate Member, you could just sign up for a new account and say, “Hey, I’d like to be an administrator.” That sounds fun.

Ram:
Yeah, I want to be in charge of this site now.

Kathy:
Scary. It also looks like attackers could enumerate current custom Ultimate Members’ roles. So they have some custom roles available with this membership plugin, and they could figure out what those were.

Ram:
They could. Now I mean, bear in mind that a lot of the roles would have to be created by the site administrator first.

Kathy:
Sure.

Ram:
So if the site administrator created the custom role, then the user could register as that role. But in a lot of cases, even without that, even if the site owner didn’t actually create these custom roles, an attacker could still change their capabilities to whatever they wanted. So I feel like that’s something that would be a lot more widely exploited.

Kathy:
Yeah. Yeah, definitely.

Ram:
The other one is that if you’re updating your profile, you could also change your role there, which I think was kind of a bigger deal as once you created a user, even if you didn’t sign up as an administrator, from there, you could then change yourself to an administrator. So.

Kathy:
Yikes. That sounds pretty scary. So it looks like they patched this on October 29th, which fixed all of these vulnerabilities, right?

Ram:
Correct. If you are running this plugin, please update. Free users won’t get this rule until November 22nd. If you’re updated, you’re safe. If you’re not updated, please update. I mean, even if you’re using Wordfence Premium, still update. But especially if you’re not, update that plugin.

Kathy:
Especially, yeah. It’s always important. One of the greatest benefits of using Wordfence is the fact that it helps you stay on top of all of these updates, because if you’re running any kind of software, whether it is your computer at home, Google Chrome, which we have a story about that coming up, or Windows, whatever you’re using, you have to make sure that your software is continuously updated because there’s always going to be vulnerabilities, bug fixes, patches. Update, update, update.

Ram:
I know it feels like a lot to handle, but if your business is literally relying on your website, then it’s definitely worth the investment of time and effort because you can’t afford not to.

Kathy:
Right. Unless you’re trying to do the whole passive income, right?

Ram:
Well, there’s no such thing as passive income. It’s like a garden.

Kathy:
It is. It is. I mean, there’s a lot of people out there on the internet who are pushing these ideas of passive income. “Just set up a WordPress website and all the money will just come in.” But still, you still have an asset of a WordPress website that you have to maintain like same way you’d maintain your car or your house or-

Ram:
Yeah, spend an hour a week on it, maybe even less depending. But if you get an alert that you have an update ready, like Wordfence Central will tell you if you’ve got some plugins that needed to be updated on one of your sites, then maybe you should go in and update it sooner.

Kathy:
Yes, indeed. So we have another story from WPTavern, and this is about Google adding a new metric as a ranking signal for search. What’s this all about?

Ram:
So the new metric is called Page Experience and it’s a composite metric of three things that they’ve figured matter to users. And each of these three things are actually composite metrics, which means they’re made up of smaller metrics themselves. So these are three different metrics. One of them is Largest Contentful Paint, which is basically a proxy for how fast your site loads, like just data-wise. And basically that measures when the largest chunk of stuff on your site gets rendered, and it should happen within two and a half seconds of the page first loading. Second one is First Input Delay, which is something that measures interactivity like whether or not you can click on a site and mess around in it or do things on that site fairly quickly after it loads. And that should be less than 100 milliseconds after it’s really starting to appear loaded.

Ram:
The last is Cumulative Layout Shift, which measures visual stability, and this is honestly the one that I care about the most. If you ever had that thing where you were on a mobile phone and you go to a website and it’s loading and it’s not finished loading, but you’ve already read part of it and you start to scroll and oops, you clicked on an ad because it just shifted around and made it so the ad was right where your finger was going to be. That’s Cumulative Layout Shift. If the shift is too big, then you run into that kind of problem. So, I mean, that’s the one I care about the most.

Kathy:
I care about that, too. Yeah, that sounds like a bad page experience. So this is very interesting. So this is another boosting… If your site is handling these types of things well and creating a good user experience, Google is going to give you more preference in the search engine result pages, you’ll have a higher ranking, partially. This will feed into that. Then someone who is doing those types of things and making Ram inadvertently click on ads, please don’t do that.

Ram:
And I mean, we do have our site performance tool, Fast Or Slow, and we do plan on incorporating these metrics in the near future. So, look forward to that.

Kathy:
Yeah. And Fast Or Slow is completely free, so great tool to start using to monitor what’s happening with your site, and make sure that your site is performing well across what is it? 18 different locations now?

Ram:
I think so. I’ll have to double-check. Don’t quote me on that.

Kathy:
I can quote you on that. I did look it up. It’s usually 18, unless a location is unavailable for some reason. But always we’re aiming for 18. So on WPTavern comments, I like to read comments. I’m one of those weirdos who reads comments on blog posts, because there’s some interesting discussion happening here. So people are asking whether or not page builders that are incredibly popular on WordPress sites like Divi or Elementor are affecting the page experience metric. What’s your take on this, Ram?

Ram:
In my experience, a lot of page builders, I don’t know if you remember the FrontPage or Dreamweaver days, but a lot of what you see is what you get page builders introduce extra complexity and they do slow things down. In this case, a lot of it’s because JavaScript needs to render the pages, so that’ll largely contribute to things like First Input Delay, where the JavaScript has to finish rendering before you can really interact with the site. I know they probably have some mitigations in place to make that a little bit less bad, but it is a concern. And Cumulative Layout Shift, you run into that as well. Whenever part of the page is rendered immediately, another part of the page is positioned programmatically after it’s started loading.

Kathy:
Interesting, yeah. I’ve used page builders a few times on a number of sites. And so I try to analyze, because I started back in the day of… The first thing I was ever given to build a site was FrontPage, and then immediately after learning HTML and learning CSS and learning all of JavaScript realized that that was awful. But these page builders that WordPress users are using like Elementor or Divi, they use a lot of different CSS classes in order to handle what is being laid out on the site. And some of it gets so complex that I can’t read it. And I can read HTML and I can read CSS and I can read JavaScript. I understand what it’s doing, but it’s so complex. And so I can only imagine that browsers have a difficult time making determinations of where everything is going to go, because there’s just so much code there, right?

Ram:
Yeah. I mean, this is sort of an ongoing debate. Just the idea that if you need to load say two to three megabytes of resources, just in order to determine the page layout and styling, then that’s not necessarily going to be a very mobile-friendly experience. But it’s an ongoing debate and I feel like Google incorporating this into their page experience metrics is a step towards sort of clamping down on that.

Kathy:
Excellent. Okay. Well, this will be definitely interesting, something to watch for. And it looks like they are going to be implementing this Page Experience as a ranking factor in May of 2021. So I guess our takeaway is that the more simple you can make your page layout, the more simple your code can be, the better it’s going to be for not only your users, but your search engine rank as well.

Ram:
Yeah. And by the way, Gutenberg apparently appears to score fairly well on this metric despite being intended as a sort of compromise between what you see is what you get and the traditional blog post editor style.

Kathy:
Excellent. Good to know.

Ram:
Yeah, apparently they’re doing okay.

Kathy:
Excellent. So a lightweight theme and Gutenberg, probably the best way to go going forward.

Ram:
Most likely yeah.

Kathy:
All right. So what’s this story now about Google patching a couple more Chrome zero-days. We’ve had a few of these recently, huh?

Ram:
Yeah. Apparently this is five zero-days in like three weeks. And the first three were discovered internally by Google security researchers. The newest two ones were externally reported by anonymous sources. They don’t have a lot of details, just described as inappropriate implementation in V8, which is the Chrome component that renders JavaScript. And then there’s a Use After Free memory corruption bug in the site isolation, which is the Chrome component that isolates each site’s data from one another. Which definitely since there’s zero-days, that means that people are already trying to exploit these, which means that someone’s found a way to make them work, which is kind of interesting.

Ram:
I know we mentioned Use After Free vulnerabilities in a previous podcast, and I didn’t really want to go into them, but they keep on coming up so I guess I’m going to have to. Basically, when you have, say, a program that has a function that says, “Hey, I’m going to set this variable to blah.” That actually allocates memory and says, “The memory here contains ‘blah’.” Then the program, it goes, “I don’t need that anymore. Forget it.” That frees up that memory. But if it says, “Nevermind, I want whatever was there again.” Blah’s not there anymore, and instead it’s something different. And if you can predict or change, whatever’s going to be there, you can end up with things like code execution, or retrieving sensitive data.

Ram:
Now, the good news is that modern operating systems do have some pretty decent protections against this, something called ASLR, Address Space Layout Randomization, where they kind of don’t stick everything into predictable areas in a computer’s memory. It’ll just be like, “I’m going to put this here, I’m going to put that over there, and attackers then have to do a lot more work to figure out where the thing they want to target is.” However, that brings us to our next story, which is… Basically it’s Intel SGX, which is their software guard extension, which they use to store and handle secret data like encryption keys.

Ram:
Researchers have come up with an attack named Platypus, which is not as cute as it sounds. But yeah, they basically found out that Intel chips and apparently AMD chips too, though they didn’t actually go in depth on those, have built in power meters. And at least on Linux systems, users with minimal privileges can check out how much power a chip is using for doing different things. And that’s what we call a side channel, which means that you can steal cryptographic keys by studying how much power it takes for a chip to do different encryption and decryption functions. And more interestingly, it can also basically get around that Address Space Layout Randomization we just mentioned earlier. It can basically de-randomize that. Which I feel like that’s impactful because it can be done remotely, which means that it would work really well in combination with Use After Free memory corruption bugs.

Kathy:
Got you. Okay. So what’s the deal with the story. So researchers have found this vulnerability with Intel chips. Now I remember the Meltdown and Spectre vulnerabilities, how does this compare to that?

Ram:
This hasn’t really gotten a ton of attention, but I feel like because this is remote and it doesn’t require a lot of privileges, it’s pretty comparable, I’d say, or possibly worse. The only mitigating factor is that by default, only Linux boxes have the components built in that let lower-privileged users do this. You have to intentionally install the drivers on Windows to actually use this functionality. It’s not something that you should be worried about as an individual user. But if you’re a hosting provider and you’ve got a data center, this is something you want to get patched as soon as possible.

Kathy:
Right. And you have a data center full of Linux servers hosting everybody’s WordPress site.

Ram:
Pretty much.

Kathy:
Yeah. So as a WordPress site owner, this is relevant to you. This is something that you might want to keep an eye on, make sure that your hosting provider is applying the patches or whatever is going to be needed in order to make sure these types of vulnerabilities cannot be exploited. So that cryptographic keys on all these servers are nice and safe, right?

Ram:
Yeah. And so the buffer overflow exploits and Use-After-Free vulnerabilities don’t work quite as well or as easily.

Kathy:
Yeah. I mean, we’ve got to keep Ram on his toes here on this podcast somehow, but-

Ram:
I’m not going to lie. I had to do a bunch of research on all of these things because there’s always more to keep up with, but

Kathy:
Sure. Sure. Well, I mean, security’s important. It’s not just researchers like yourself who have to stay up on this kind of stuff. I mean, I am not going deeply into all of these vulnerabilities much in the same way that you are, but I need to be aware of them as a WordPress owner, as someone who’s interested in WordPress security, it’s just good to be aware of it. It doesn’t mean you have to like go deep diving.

Ram:
Yeah. I don’t necessarily have to know how to personally decrypt your encrypted data, but what I do need to know is the implications of different vulnerabilities as they relate to other vulnerabilities, which we’ll get to at the end of the podcast actually.

Kathy:
Right. Right. Now, here’s another story. This one I think is very relatable, because we’ve talked this a lot on the podcast, we’ve talked about it on Wordfence Live. It is a favorite topic of mine at WordCamps. This is about encouraging people to stop using phone-based multi-factor authentication. So no more SMS 2FA. Microsoft is now urging users to stop using phone-based multi-factor authentication for many of the same reasons that we encourage that. We’ve been saying this forever. Now this warning came from the Director of Identity Security at Microsoft, Alex Weinert, and he’s been advocating on Microsoft’s behalf urging users to embrace MFA, and he’s taking it a step further and saying, “No more SMS.” What happens with SMS that makes it so concerning for us, Ram?

Ram:
First of all, I do want to bear in mind that when they say no phone-based, they mean no telephone system base, no SMS, no voice calls, and an app on your phone is still going to be a secure way to do this, assuming that there’s no vulnerabilities on your phone.

Kathy:
Yeah. Some people still use their phones for telephone calls and also SMS.

Ram:
I mean, I don’t use them for telephone calls ever since robocalls became a thing, but that’s another can of worms. Anyways, one of the main problems with especially SMS based two-factor authentication is that it’s entirely possible to phish someone using that. You go onto a phishing site, you enter in a username and password and their software can actually forward on that request and then send the SMS and get you to input the second factor code. It’s also possible to conduct a SIM-swapping attack where they socially engineer your mobile network company who are pretty easy to socially engineer, even now, from what I’ve been seeing at various DEFCONs. And just call them up, get them to say, “Hey, I want this phone number ported to this new SIM card I got.” And a lot of the time they’ll just do it.

Kathy:
Right. Yeah. And just the underlying network that our telephone system, not your mobile device, but the telephone systems, SMS based systems, the underlying networks were not developed with the type of security required for what we’re doing with our phones these days. I mean, talking to grandma’s one thing, but logging into your bank account or your cryptocurrency account, something completely and totally different, right?

Ram:
If the police can deploy a stingray to intercept voice and SMS calls, then attackers can, too.

Kathy:
Exactly. So use your Google authenticator. LastPass has a great authentica- I was using Google authenticator for the longest time, and then of course I get a new phone and bye-bye two-factor codes, they’re all gone.

Ram:
So Google Authenticator did have a problem and that’s that it didn’t prevent screenshots-

Kathy:
Oh, really?

Ram:
… of the Authenticator interface. So if you had malware running on your phone, it could steal that second factor code.

Kathy:
Interesting. Does LastPass’ app have that same problem?

Ram:
I think it blocks screenshots on the page itself.

Kathy:
Okay. Yeah. I know when you copy a code, it doesn’t hold it in memory for more than I think 30 seconds or something too, so that it can’t be, I don’t know, Tik-Toked into China. So definitely start using your Google authenticator. What other ones do we have? There’s OFI, LastPass-

Ram:
Yeah, I think there’s some open source ones that are pretty decent as well.

Kathy:
Okay, excellent.

Ram:
And you have your choice.

Kathy:
Yes. There are many different ways to do your two-factor authentication, and Wordfence, we encourage you to use those app-based authenticator codes as well. One cool thing that I like about what 1pass does, one password is that you can have those two factor codes integrated with your one… So you have your password and it also has that time-based code within the app or within the application on your computer. So that’s also very handy. So there’s no more excuses, right?

Ram:
No more excuses, though I do recommend if you’re going to set up two-factor authentication using more than one device, say one password and a phone, that you do them both at the time of setup, otherwise you’re going to have to undo it and then redo it to add them both later.

Kathy:
Yeah. Important. Cool. Well, it looks like we have some patches for Windows Patch Tuesday. What does this look like, Ram?

Ram:
This is what I was mentioning earlier. It includes a fix for a Windows zero-day vulnerability that was exploited in the wild, and it’s a privilege escalation vulnerability. And the reason this was kind of a big deal is that they found it used in conjunction with Chrome Zero-Day we mentioned a couple of podcasts ago, the one with the free type library, which was yes, a Use-After-Free vulnerability, I believe. Or was it some other kind of memory corruption?

Kathy:
I think it was Use-After-Free. I think that was the one that we were talking about [crosstalk 00:21:09].

Ram:
It was the heap buffer overflow.

Kathy:
Was it? Okay.

Ram:
Yeah. Okay. So it was a buffer overflow. So something else that ASLR would make harder to pull off.

Kathy:
Got you.

Ram:
But yeah, I guess they found it being attacked in conjunction with that one, and basically it would be an exploit chain where they’d attack the free type vulnerability to gain some degree of local access and then attack the kernel zero-day to gain privilege escalation, which once you have remote privilege escalation, that’s kind of a big deal. Google Project Zero, which finds pretty much all of these, it sounds like, to disclose it on October 30th.

Kathy:
Again, the big takeaway is, well, there were 111 other vulnerabilities patched within this as well. I mean, that’s the most interesting one, obviously, the fact that it was being exploited in the wild. But still over a hundred vulnerabilities that are patched in Patch Tuesday, so it’s like, maybe that should be just like a national holiday, Every patch Tuesday. Everybody just-

Ram:
Every Patch, I mean-

Kathy:
Take a national holiday, everybody in every country, patch your computers, please.

Ram:
Or just turn on the automatic updates. They don’t seem to interrupt important things nearly as often anymore. Usually they’ll just pop up and say, “Hey, we’re going to update you after 7:00 PM.” Which is, unless you work night shift, in which case you may want to change that timing.

Kathy:
Yeah. Well that’s all we have this week on Think Like a Hacker. If you’d like a notification, when we have a new episode, you can subscribe on wordfence.com/podcast. There’s a form there. So you can get alerted when we have a new episode. If you have a story that you’d like us to cover, you can write to us at press@wordfence.com. I get all of those, and we can cover any story that you’d like us to look at. Make sure you follow Ram at… Was it @RamuelGall on Twitter?

Ram:
I’m very boring on Twitter, but yes.

Kathy:
I’m boring on Twitter these days, too. There’s so many other people who are doing exciting things that I’m just like, “Oh my gosh.” I even don’t want to talk about all these crazy things. But yeah, we’re on Twitter, and we share security news there as well. Make sure you’re following the Wordfence account, and make sure that you come visit us on Tuesdays at noon Eastern, 9:00 on the West Coast, we have Wordfence Live that’s on YouTube. You can find those links on our website somewhere. We’ll put it in the show notes too, because we have lots of interesting topics to discuss there, where we’re really looking at the best ways that you can handle your WordPress site. Well, this past week we talked about best practices in updating and maintenance, right?

Ram:
Yep. We just did discuss how to handle updates that go wrong to some extent, how to avoid updates going wrong in the first place, how you should handle updates depending on the size of your site, whether or not automatic updates are a good idea.

Kathy:
Yeah. And I’m sure we’ll be talking about automatic updates for some time. We’ve got some interesting news coming up. We’ll probably talk next week about automatic updates in WordPress 5.6, so there’s a little teaser for you.

Ram:
Yep.

Kathy:
Awesome. Well, thanks for joining me here again, Ram. This is a lot of fun, and we’ll be back again next week to talk about more security, WordPress and innovation news.

Ram:
Thanks for having me. And I guess I have to do more studying before next week, too.

Kathy:
We all do. It’s always… Studying.

Ram:
Yeah, never stops.

Kathy:
Never stops, does it? That’s what makes it fun.

Ram:
It does.

Kathy:
All right. See you next week. Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

LinkedIn 

Comments

No Comments

Breaking WordPress Security Research in your inbox as it happens.

Example of a news story

This site uses cookies in accordance with our Privacy Policy.