This week, we review Unicode vulnerabilities, which allow code to be maliciously encoded so that it appears different to a compiler and the human eye. We’ll also talk about container security and a vulnerable WordPress plugin that we think requires attention.
Trojan Source (CVE-2021-42574)
A recent paper published by two Cambridge University researchers shows that the unique use of Unicode directionality override characters in code could cause human readers to misinterpret the code as safe while allowing malicious actors to introduce logic alterations into the codebase. The researchers have created a GitHub repository to demonstrate how these characters can get utilized in different programming languages.
#!/usr/bin/env python3
def sayHello():
print("Hello, World!")
def sayHello():
print("Goodbye, World!")
sayHello()Can you tell which function will run? A compiler can!
This issue can have multiple security implications. Malicious code can get introduced into an otherwise safe-looking public repository for supply-chain attacks. Code copied from public forums also can contain these malicious logic alterations. It’s mentioned in the paper that most compilers are vulnerable to these issues, and even though some communities have acknowledged the issue (see Rust and GitHub), it’s known that most are still vulnerable.
Container Security Best Practices
According to Docker, a container is a standard unit of software that packages up code and all its dependencies. The application runs quickly and reliably from one computing environment to another. This allows deploying an application image without making changes on different host operating systems. Although these container images are isolated from the underlying operating system, an exploitable vulnerability inside a container can compromise your whole cloud infrastructure, according to sysdig’s Comprehensive Container Security guide. According to the 2020 Cloud Native Computing Foundation (CNCF) Survey, the use of containers in production has increased to 92%, which means it’s more important than ever to secure these instances.
We offer our own container security guide that goes into further detail on using recommended tools and procedures to build secure Docker images. We recommend following these best practices to secure your containers better:
- Update the images regularly to reduce the number of vulnerabilities in a container.
- Frequently scan for vulnerabilities using a vulnerability scanning tool such as Trivy, a free and open-source tool built for this purpose.
- Create limited users for running containers and avoid running the containers as the root user whenever possible. It’s important to exercise the least privilege principle when using containers.
- Limit the CPU and RAM that a container uses. Hardware usage limits greatly mitigate an attacker’s ability to perform crypto mining on a given container. This also benefits improving performance by reducing the amount of unnecessary resources allocated for a container.
Lastly, you can check out the Docker Security Cheat Sheet provided by the Open Web Application Security Project (OWASP) for a quick overview on this subject.
OptinMonster WordPress Plugin (CVE-2021-39341)
According to the plugin’s WordPress page, OptinMonster is a plugin that helps its users to build popups to enable subscription for readers. As of this writing, it has over one million active installations.
This plugin uses API endpoints to function. According to the WordFence article, most of these API endpoints were vulnerable, allowing an unauthenticated attacker to export sensitive information and inject malicious JavaScript code into the WordPress sites using the plugin. Versions before 2.6.4 of this plugin are open to these attacks, and it’s highly recommended to update this plugin to the latest version. The OptinMonster team has reset the compromised API keys, and users might need to regenerate their API keys to keep using the plugin.
By preparing these digests, we aim to share useful information with our readers. Feel free to leave a comment down below if you learned something new, and stay tuned for the latest news on security.
Comments