On Monday, December 15th, SC Magazine reported a plugin vulnerability for WordPress that has compromised over 100,000 sites.
The plugin, ThemePunch’s Slider Revolution, is a premium WordPress plugin that has also been incorporated into many other commercially available WordPress themes. Users of these themes might not even realize they are running the plugin, because it was included with the theme they’ve chosen and, according to the authors of the plugin, the user must rely on the individual theme’s vendors to provide the necessary updates to the latest version of their code, instead of just getting it directly from ThemePunch. This requirement makes it a little more complicated than your average vulnerability remediation.
The vulnerability allows an attacker to use the plugin to download any file on the server. It can be used to download the configuration file for WordPress, where the attacker can learn the database access credentials and further compromise the user’s site from there.
Unfortunately, since the article was released it appears that another plugin also made by ThemePunch, Showbiz Pro, is similarly vulnerable.
The good news is that Halo can provide ways to detect both the presence of the WordPress Slider Revolution plugin on your servers and whether or not people are probing your sites for the vulnerability. This blog post shows how you can go about leveraging two of Halo’s modules to help detect the presence of the plugins and how to see if the “bad guys” are trying to exploit your WordPress installation.
Detecting the Plugin
In Halo’s Configuration Security Management feature, it is possible to create a policy with a rule and checks to detect whether the Slider Revolution or Showbiz Pro plugins are installed. (For this example we’ll be focusing on detecting these plugins on a Linux box.)
Step 1 – Log into your Halo account and navigate to Policies -> Configuration Policies.
Step 2 – Click Add New Linux Policy.
Step 3 – Fill out the Name and Description in the provided example and click Save.
Step 4 – Click the triangle control next to System Configuration and then click Add a New Rule.
Step 5 – Enter a name for the Rule, e.g. ‘Detect WordPress Plugins’ and click the Add New Check button.
The Check Type dialog box will appear. For this example, choose Directory Presence Check.
While we could write one check that looks for both the Slider Revolution and Showbiz Pro plugins, unless you have both installed the results could be confusing. For this example, make two separate checks.
Step 6 – For the Folder(s)… section of the check, provide the full path to your WordPress installation. This typically includes the path to where your web pages are stored, plus the specific WordPress installation directories including /wp-content/plugins/. In this example we’re running Apache2 on an Ubuntu server that stores it’s web content in /var/www/html. Our WordPress installation is in that directory so we enter /var/www/html/wp-content/plugins/revslider/, which is where the plugin would be if it were installed on our system by itself (not as part of another Theme).
Step 7 – The Directory Presence Check requires you to state whether you want the folder to exist or not exist on the system when the check is run. In this case, since we’re just looking to see if it’s installed, you could choose either but since we’re creating this CSM policy so we can detect whether or not this WordPress plugin has been installed or not, you should choose “should not be present”, that way, when the scans are run you’ll see failures in the scan result which will indicate where further investigation is needed.
Step 8 – While the Remediation Suggestion in the Directory Presence Check is optional, I think we should put a little text in there to remind us of the context of this check, so that when the scans are run and the reports are generated we can, at a glance, immediately understand that the failure of the check means that the plugin is present and should be checked to make sure it’s been updated to the latest, safe version.
Step 9 – Click the button marked Save All.
To create the second check for Showbiz Pro, or any specific WordPress plugin, you can repeat Steps 5 through 9.
Step 10 – Assign the policy to each of the server groups that contain your WordPress servers. Then initiate CSM scans and review the results. If the policy rule fails on any server, you know you’ll need to investigate to make sure you’re running the latest version of the plugins to protect yourself from possible compromise!
While Halo’s Configuration Security Monitoring policies can help you detect whether or not you have the affected WordPress plugins installed on your systems, Halo’s Log-based Intrusion Detection System can help detect whether or not the “bad guys” are trying to probe you, looking for them.
We can build the following Halo LIDS policy based on the information provided in the blog that Sucuri wrote, that was referenced by SC Magazine’s blog.
Step 1 – Log into your Halo account and navigate to Policies -> Log-based IDS Policies.
Step 2 – Click Add New Linux Policy.
Step 3 – Fill out the Name and Description as in the provided example.
Step 4 – For this example, give the policy rule the name of the particular WordPress plugin who’s probing we’re trying to detect: “Slider Revolution”.
Step 5 – Tell Halo what log file it should be searching for evidence of probes. In this case it’s just the regular Apache access.log, which on our Ubuntu server is located at /var/log/apache2/access.log.
Step 6 – Provide a search expression to match entries that would appear in the logs if someone were trying to exploit the plugin’s vulnerability. Our example might look daunting at first but it’s really very straightforward. Sucuri’s blog provided examples of what the probes look like in the access logs already so I’ve merely taken those examples and focused on the specific section that shows the probing of the specific Slider Revolution plugin when it’s looking for a victim’s wp-config.php file.
What you see in the example is basically the snippet we want to look for with the punctuation “escaped” out with the back-slash () character. (If you click on the little question mark icon next to Search Expression on the Edit Policy page, you can read what the different components of Halo’s Search Expression Syntax are.)
Step 7 – Unless you want to mark a match to this rule as critical or have it generate an alert, you can just leave the Active checkbox checked and click Save Policy.
The Halo platform and its approach to providing software-defined security make it a powerful ally when complex security issues arise. Hopefully this specific example will give you some idea of the ways in which Halo can be quickly applied to helping keep your clouds and computers secure!