WordPress 4.7, with the nickname of Vaughan, was released last week without much of a fanfare. It also came without the usual bunch of important security patches either.
If you run a WordPress-based site, you probably think you can relax once you've applied the core update and let your security scanner plug-in loose on it. Things might not be quite as secure as they seem, however, if the developers of one such plug-in are correct.
Wordfence developers have warned that competitors in the field may not keep WordPress sites as malware free as it can. No great surprise there, we grant you. However, the use of insecure hashing using MD5, the reasoning behind the claim, probably warrants a closer inspection.
Here's what the Wordfence developers have to say: “Hashes are a way for security companies like us to store a small piece of data that uniquely identifies known bad or good files, and then use that data to check if those files exist on a system we're scanning. Then we can make a decision about whether to preserve the file or get rid of it. With MD5, it's possible to create two different files that have the same MD5 hash, or unique signature. This could be used, for example, to fool a malware scanner into thinking a malware file is actually a known-good file. That is why we use SHA-2 in Wordfence to track known good files. It prevents an attacker from creating a bad file that has the same hash as a known good file and avoiding detection.”
In other words, and a lot less of them, WordPress security scanners using MD5 hashing may inadvertently allow an attacker to hide malware that is undetectable to them. Which prompted us to wonder why any security company, WordPress-related or not, would still be using MD5 when something like SHA-2 is a readily available alternative. Is this, we asked, laziness within the protocol design community or does it not represent a real-world problem at all?
Alex Mathews, the lead security evangelist at Positive Technologies, thinks that laziness may not be the driver here. “Perhaps, by the developer's evaluation, the cost of code changing is much higher than the potential damage in case of WhiteList False Positive (when users but not a developer will be affected),” Alex told SC Media UK.
He went on consider that a developer keeps only "bad / good" hashes but he doesn't have "bad / good" files themselves so he cannot recalculate the hashes with different algorithms. “Historically, MD5 is one of the most popular hashing algorithms,” Alex continues. “A lot of systems are based on it. If a bad hash function is used for blacklisting, it's not a very big problem: False Positive will mark a safe file as suspicious, that's all.”
Ilia Kolochenko, CEO of web security company High-Tech Bridge, agrees that it's an interesting blogpost but doubts that MD5 can be really considered unreliable in this particular instance. “Cyber-criminals targeting vulnerable WordPress websites don't need to have such level of sophistication when obfuscating their malware,” Ilia says. “Millions of WP websites almost never install updates, not even speaking about file integrity monitoring.”
He has a point, and here comes another one: “There are much easier ways to hide malware on a compromised WP website, such as placing malicious code into database, not the web application.”
So is MD5 hashing in WordPress security scanners a real world problem we should be getting hot under the collar about as an industry? Alex Mathews concludes that “we don't know about real-world problems it could lead to so far”.
He adds: “Modern security systems are not restricted to a sole malware scanner to catch malware: they use dynamic and behavioral analysis too, as well as other methods.”
And, if anyone from Wordfence is reading – we should point out that it's good practise to use more than one scanner from more than one vendor, just to be on the safe side anyway. Right?