{"id":18057,"date":"2024-09-10T08:36:45","date_gmt":"2024-09-10T08:36:45","guid":{"rendered":"https:\/\/cloudkul.com\/blog\/?p=18057"},"modified":"2024-09-10T08:46:30","modified_gmt":"2024-09-10T08:46:30","slug":"wordpress-security-identifying-fixing-lite-speed-cache-v-6-3-0-1-vulnerabilities","status":"publish","type":"post","link":"https:\/\/cloudkul.com\/blog\/wordpress-security-identifying-fixing-lite-speed-cache-v-6-3-0-1-vulnerabilities\/","title":{"rendered":"WordPress Security: Identifying & Fixing\u00a0Lite-speed Cache V-6.3.0.1 Vulnerabilities"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

All versions of the Lite-speed Cache WordPress plugin, including 6.3.0.1, are susceptible to privilege escalation. <\/p>\n\n\n\n

The reason for this is that the role simulation feature is not appropriately restricted by the plugin.<\/p>\n\n\n\n

Lite-speed Cache is one of the most widely used caching plugins for WordPress, with over five million active installations.<\/p>\n\n\n\n

Lite-speed Cache<\/strong><\/h2>\n\n\n\n

This is a sophisticated caching plugin designed for WordPress that significantly improves website performance.<\/p>\n\n\n\n

It achieves this by storing frequently accessed data in a cache and, as a result, reduces the need for repeated server processing and data retrieval.<\/p>\n\n\n\n

As a result, this caching mechanism allows web pages to load more quickly for visitors, enhancing the overall user experience and reducing server load.<\/p>\n\n\n\n

Lite-speed Cache for WordPress works by creating and storing temporary copies of each web page on your site. <\/p>\n\n\n\n

However, these copies are saved on the local server where the Lite-speed software is installed, not on any external servers or accessed by Lite-speed employees.\u00a0<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Identifying Vulnerability<\/strong><\/h2>\n\n\n\n

We recently heard about this plugin being in the news and looked into it on several platforms. However, we found out that the reports are true: <\/p>\n\n\n\n

The plugin is vulnerable to an ‘unauthenticated privilege escalation<\/strong>‘ attack. After that, we decided to reproduce this vulnerability on our local system, <\/p>\n\n\n\n

And found that the Lite-speed Cache plugin version 6.3.0.1 is indeed vulnerable to an ‘unauthenticated privilege escalation<\/strong>‘ attack<\/p>\n\n\n\n

The Lite-speed Cache plugin for WordPress is vulnerable to privilege escalation in all versions up to and including 6.3.0.1.<\/p>\n\n\n\n

This happens because the plugin doesn\u2019t properly limit role simulation.<\/p>\n\n\n\n

However, If an attacker can find a valid hash (from debug logs or by guessing), they can pretend to be an administrator and use the REST API endpoint to create a new admin account without being logged in<\/p>\n\n\n\n

Understand The Security Flaw <\/strong><\/h2>\n\n\n\n

The async_lite-speed_handler() function had a security flaw because it didn\u2019t properly check who was allowed to use it. <\/p>\n\n\n\n

This allowed anyone to trigger it and create a special $hash value that was stored in the database. <\/p>\n\n\n\n

This hash could then potentially be used for malicious purposes if not handled securely.<\/p>\n\n\n\n

Loose Comparison: <\/strong>A way of comparing values in programming where the comparison isn\u2019t very strict. <\/p>\n\n\n\n

It often allows different types of data (like numbers and strings) to be considered equal if they look similar.<\/p>\n\n\n\n

Example:-<\/p>\n\n\n\n

If (\u201c123abc\u201d == 123)<\/p>\n\n\n\n

{<\/p>\n\n\n\n

Echo \u201cThey are equal\u201d<\/p>\n\n\n\n

}<\/p>\n\n\n\n

A security risk with loose comparison is that it allows values that aren\u2019t exactly the same to be considered equal due to type conversion. <\/p>\n\n\n\n

However, this can let an attacker use a slightly incorrect or manipulated value to bypass security checks, making the system vulnerable to attacks.<\/p>\n\n\n\n

Capability Check:<\/strong> Normally, functions should check the user\u2019s permissions (capabilities) to ensure that only authorized users (like administrators) can perform certain actions.<\/p>\n\n\n\n

Nonce Check:<\/strong> A nonce is a security token that helps prevent certain types of attacks (like Cross-Site Request Forgery or CSRF). It also ensures that the request is coming from a trusted source.<\/p>\n\n\n\n

Role Simulation Using Cookies:<\/strong><\/h3>\n\n\n\n

Cookies Used:<\/strong> The function relies on two specific cookies:<\/p>\n\n\n\n

lite-speed_role:<\/strong> This cookie presumably contains a role name (like “administrator” or “editor”).<\/p>\n\n\n\n

lite-speed_hash: <\/strong>to match the value in the database.<\/p>\n\n\n\n

Cookie Manipulation:<\/strong> If an attacker can manipulate their cookies, then they could set their lite-speed_role<\/strong> cookie to any role, including an administrative role, and can set the lite-speed_hash<\/strong> to match the value in the database.<\/p>\n\n\n\n

No Additional Security Checks:<\/strong> Basically, the function only checks if the cookie values match what\u2019s in the database. <\/p>\n\n\n\n

However, It doesn\u2019t check if the user is authorized to perform this action or if the cookie is coming from a legitimate source.<\/p>\n\n\n\n

Privilege Escalation:<\/strong> By manipulating these cookies, an attacker could simulate being a higher-privileged user (like an administrator)<\/p>\n\n\n\n

Gaining unauthorized access to restricted parts of the website, or performing actions that they shouldn\u2019t be allowed to.<\/p>\n\n\n\n

Basically, the $hash is very weak and easy to guess. If someone can find out what it is, then they can pretend to be any user, even an administrator, <\/p>\n\n\n\n

After that, they can perform actions like creating new admin accounts or accessing restricted areas. <\/p>\n\n\n\n

The fact that the hash is short which never expires, and is checked loosely makes it even easier to exploit.<\/p>\n\n\n\n

If you\u2019re a WordPress user running Lite-speed Cache plugin version 6.3.0.1, then please follow these steps to reproduce the vulnerability on your local system:-<\/p>\n\n\n\n

Steps to Reproduce:-<\/strong><\/h2>\n\n\n\n
    \n
  1. Visit your WordPress site with the Lite-speed Cache plugin installed.<\/li>\n\n\n\n
  2. Then, log in as a normal user using your user ID and password.<\/li>\n\n\n\n
  3. Your browser will save your \u201cCred & Role<\/strong>\u201d in cookies as a hashed value (e.g., #Gt%$;jhHJk*&).<\/li>\n\n\n\n
  4. Additionally, the database stores the same hash for this user<\/li>\n\n\n\n
  5. Next time you visit the site using the same browser, then the Lite-speed Cache plugin will retrieve the hash from your browser cookies and compare it with the hash value stored in the database.

    However, If the values match, then you will gain access to your account based on your role.<\/li>\n\n\n\n
  6. An attacker can manipulate their cookies, they could set their lite-speed_role cookie to any role, including an administrative role, and set the lite-speed_hash or use brute-force techniques.

    May try to match multiple hashes, or if they have information about the admin user, they might directly attempt to match the admin hash to gain access.<\/li>\n\n\n\n
  7. With 1 million possible security hash values and a rate of three requests per second, an attacker could potentially gain site access as any user ID<\/li>\n\n\n\n
  8. Once an attacker gains access to another user\u2019s account, such as an administrator’s, they can create a new user with administrative privileges.<\/li>\n<\/ol>\n\n\n\n

    For a better understanding, please refer to the diagram below:-<\/strong><\/p>\n\n\n\n

    \"\"<\/a><\/figure>\n\n\n\n

      <\/p>\n\n\n\n

    Unauthenticated Privilege Escalation<\/strong><\/h2>\n\n\n\n

    Unauthenticated privilege escalation is a security vulnerability that allows an attacker to gain higher levels of access or control over a system without needing to be authenticated or logged in.<\/p>\n\n\n\n

    Basically, it means that a user can exploit the system to perform actions or access data that should be restricted, even without proper credentials.<\/p>\n\n\n\n

    Impact<\/strong><\/h2>\n\n\n\n