In this week’s digest, we will discuss:
- Zero-day vulnerability in the WPGateway WordPress plugin
- Visual Studio code elevation of privilege vulnerability
- Highlights from the State of Cloud Security Report 2022 by Snyk
Zero-Day in WPGateway Plugin
CVE-2022-3180 is a zero day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites. With the CVSS score of 9.8, this vulnerability is being weaponized to add malicious admin users to sites running WPGateway plugin, as noted by the WordPress security Company Wordfence.
How to check if a website was compromised:
- Most common indicator is the presence of an administrator with the username “rangex”.
- Another way to detect if a website is compromised is to look for the appearance of requests to “//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1” in the access logs, although it doesn’t necessarily imply a successful breach.
Wordfence withholds further details about the vulnerability, owing to exploitation and to prevent malicious actors from taking advantage. It also recommends users to remove the plugin from their WordPress until a patch is available for it.
Visual Studio Code Elevation of Privilege
CVE-2022-38020 is an elevation of privilege vulnerability that exists in VS Code v1.71.0 and earlier versions where, on a shared Windows machine, a low-privileged attacker can create a bash.exe executable in a location where terminal profiles are detected. This detected profile is then exposed in the terminal profiles list and can be run easily by the vulnerable user. The paths in question were:
- C:\Cygwin64\bin\bash.exe
- C:\Cygwin\bin\bash.exe
- C:\ProgramData\scoop\apps\git-with-openssh\current\bin\bash.exe
The fix is available starting with VS Code 1.71.1. The fix (0b356bf) mitigates this attack by removing those paths completely from the terminal profile detection feature. Other workarounds can also be applied, which include to avoid running terminal profiles that are not expected to be installed on the machine. An administrator might be able to lock down the folders in question.
Highlights from State of Cloud Security Report 2022 by Snyk
- 80% of organizations experienced a serious cloud security incident during last year..
- Fast growing start-ups fared the worst with 89% impacted. Public sector entities (government and non-profit) experienced nearly the same.
- In incidents based on use cases: companies using the cloud primarily as a platform for hosting applications that were migrated from a data center reported serious cloud security incidents in the past year (89%), whereas companies using cloud to host third-party applications reported cloud incidents at 78%, and teams using cloud as platform to run and build In-house applications reported incidents at 73%, which could be explained by having more visibility and control over the environment.
- Infrastructure as Code (IaC) security presents teams with the opportunity to verify the security of cloud infrastructure earlier in the SDLC—pre-deployment—which can save time and reduce the frequency of runtime misconfiguration issues.
- IaC security reduces misconfigurations by 70%, and ROI for IaC security in terms of increased productivity and deployment speed is at median 70% for both.
- Five recommendations for improving cloud security:
- Know your environment: Maintain awareness of every resource running in your cloud environment, how each resource is configured, and how they relate to each other.
- Focus on prevention and secure design: The way to avoid cloud breaches is to prevent the conditions that make them possible, including resource misconfigurations and architectural design flaws.
- Empower cloud developers to build and operate securely: As infrastructure as code adoption goes mainstream, cloud engineers need tools to get security right in design and development phases of the SDLC.
- Align and automate with Policy as Code (PAC): When security policies are expressed solely in human language and exist in PDF documents, they might as well not exist at all.
- Measure what matters and Operationalize Cloud Security: Cloud security is about operational discipline and getting the right processes in place.
The full SNYK Report: State of Cloud Security 2022 can be found here.
Comments