Jetpack fixes 8-year-old flaw affecting millions of WordPress sites
Also, new EU cyber reporting rules are live, exploiters hit the gas pedal, free PDNS for UK schools, and more
In Brief - Updated A critical security update for the near-ubiquitous WordPress plugin Jetpack was released last week. Site administrators should ensure the latest version is installed to keep their sites secure.
Jetpack is a WordPress plugin developed by Automattic, offering features like antispam filtering, site analytics, and more. It released security patches for 101 different versions going all the way back to 2016's version 3.9.9, which introduced a flaw that's been present in the product ever since.
"During an internal security audit, we found a vulnerability with the Contact Form feature in Jetpack," the team said. "This vulnerability could be used by any logged in users on a site to read forms submitted by visitors on the site."
In other words, it has a lot of potential to do damage - in a very particular circumstance.
Jetpack claims there is no evidence that the vulnerability has ever been exploited in the wild, but it predicts that won't last now that it's told the world about the matter.
"Now that the update has been released, it is possible that someone will try to take advantage of this vulnerability," Jetpack noted. The post didn't include a CVE in its update noted, and it's not clear if one has been assigned since then. We've reached out to the Jetpack team for comment, but they haven't responded.
As others have pointed out, Jetpack has long been a standard part of any new WordPress site, which means it's present in a lot of places - approximately 27 million sites by one estimate. It said the updated version should have been automatically installed on all affected websites, so WordPress administrators don't necessarily need to panic.
That said, it's still a good idea to double-check your Jetpack version to be sure you're not still on an old one.
Updated at 21:00 UTC, October 20th
Automattic sent us more info about the flaw.
The vulnerability affects the Contact Form module in Jetpack, which is automatically enabled upon installation and configuration of the plugin. Version 3.9.2 (released in 2016) and subsequent releases all have the problem.
Automattic described the flaw as “an access control issue within Jetpack’s REST API endpoint that manages feedback submitted via the Contact Form. Only logged-in users with low-level roles on the site could exploit the issue to view feedback submitted by site visitors via contact forms. Although this does expose a confidentiality issue, the nature of the vulnerability does not enable remote attacks or allow arbitrary actions beyond reading form submissions.”
Patches are being delivered to users who have enabled automatic updates.
But users who host their own WordPress sites, and have disabled auto-update for plugins, need to update manually.
There’s one exception to that requirement: Jetpack has several modules, and they are optional. It’s therefore conceivable that some WordPress/Jetpack users have disabled the Contact Form module – so even if their plugin is unpatched, they aren’t vulnerable.
Updating Jetpack regardless sounds like a fine idea – who wants known-to-be-vulnerable software present in their systems?
Critical vulnerabilities of the week
Only one major issue to report this week that wasn't covered elsewhere, but it's a doozy for anyone using Veeam backup and replication software.
CVE-2024-40711, with a CVSS score of 9.8, is a deserialization of untrusted data vulnerability that can allow an unauthenticated remote attacker to execute code. It's present in Veeam Backup & Replication software version 12.1.2.172 and earlier, so get those updates installed asap.
Veeam also patched other vulnerabilities this week, including a pair of CVSS 8.8 issues that allow MFA bypass and data exfiltration. Get patching.
New EU cyber incident reporting rules go into effect
The EU has officially adopted the first rules implementing the NIS2 cybersecurity rule, so companies in critical infrastructure sectors ought to prepare for stricter incident reporting rules as their home countries implement their own local regulations.
NIS2, which modified prior cybersecurity rules and went into force in 2023, places several new requirements on critical sector firms, including giving them 24 hours to report a cyber incident and 72 hours to disclose information loss. Companies that don't comply will be fined up to €10 million or 2 percent of their global turnover.
The new rule covers companies in the sectors one would normally consider critical infrastructure, and like similar bills in the US, strives to make companies improve their reporting to consolidate threat intelligence.
"In today's cybersecurity landscape, stepping up our capabilities, security requirements and rapid information sharing with up-to-date rules is of paramount importance," said EU antitrust chief Margrethe Vestager. "I urge the remaining Member States to implement these rules at national level as fast as possible."
Be heard: Weigh in on CISA's list of bad product security practices
CISA and the FBI have put together a document outlining bad product security practices, and it wants the public to weigh in on whether anything else is needed.
The document is designed for "software manufacturers who develop software products … used in support of critical infrastructure," but its recommendations apply equally as much to other firms, too. In it, CISA and the FBI break down three categories of bad practices - product properties, security features, and organizational processes and policies - that it said affect secure development, and discuss a number of common problems that fall into them.
There's plenty to comment on, perhaps most critically the fact that CISA notes it is "non-binding" and imposes "no requirement" on companies to adopt better secure software development practices.
If you have an opinion on that, or anything else in the CISA/FBI doc, you can speak your mind until December 2, 2024.
Some good news: Free cybersecurity service for UK schools
Following the successful trial of a protective DNS service for schools, the UK National Cyber Security Centre is extending the program to other educational institutions.
Multi-academy trusts, academies, independent schools and school internet service providers are all being encouraged to sign up for the service, which offers schools DNS filtering from Cloudflare and Accenture to limit access to domains known to host malware and other nasties.
Even better, it's free.
"We have worked closely with the [NCSC] on this service to ensure all schools can now benefit from enhanced cyber resilience at no cost to them and I encourage settings to take advantage of this enhanced protection," UK minister for early education Stephen Morgan said of the news.
Interested institutions can sign up through the NCSC.
Cybercriminals are moving faster than ever
In the olden days of five years ago, it used to take months for threat actors and cybercriminals to start taking advantage of a newly-discovered exploit, but that window has shrunk to several days.
Google's Mandiant threat hunters released a report of 2023 time-to-exploit trends and found that, from 2022 to 2023 the average observed time to exploit (TTE) shrunk from 32 days to just five, meaning threat actors are moving incredibly quickly nowadays. That drop wasn't gradual, either: from 2018 to 2019 Mandiant said it was around 63 days, which dropped to 44 in 2021, before lowering to 32 in 2022.
That suggests a shift to exploiting new, relatively unknown vulnerabilities, which is borne out by another statistic from the same report: the team said it observed ratio of n-days to zero-days has changed to 30:70. Last year, it was a ratio of 38 to 62.
"The shifting ratio appears to be influenced more from the recent increase in zero-day usage and detection rather than a drop in n-day usage," Mandiant said.
In other words, don't sleep on those zero-day patches. ®