ADVISORY: WordPress Zero-Day allowing hackers to reset admin password (CVE-2017-8295)

What happened?

WordPress is one of the most popular content management systems, servicing thousands of users and websites because it offers flexibility of tools with an easy-to-use interface. WordPress is also the first targeted CMS, as the return on investment is really high for hackers, and easy to perform automated web attacks.

Vulnerabilities on WordPress are discovered every day. This time, a zero-day that could allow a remote attacker to reset targeted users password under certain circumstances. The vulnerability (CVE-2017-8295) affects all versions of WordPress, including the latest 4.7.4 version.

What about this vulnerability (CVE-2017-8295)?

According to Dawid Golunski and TheHackerNews, while sending this email, WordPress uses a variable called SERVER_NAME to obtain the hostname of a server to set values of the From/Return-Path fields:

Image from TheHackerNews.

In-depth information on how this vulnerability is exploited by hackers explained in UnPatched WordPress Flaw Could Allow Hackers to Reset Admin Password (TheHackerNews).

How to fix it? Are DenyAll’s products concerned?

Fortunately, if you have a DenyAll WAF, meaning for the customers of DenyAll Web Application Firewall, DenyAll Web Services Firewall, DenyAll rWeb, you are fully protected against this vulnerability. By default, the reverse proxy does not accept unknown hosts and will block (and log) unknown hostnames.

The vulnerability has now been publically disclosed with no patch available from the WordPress security team. If you do not have a proper web application firewall, we advise you to update your server configuration to enable UseCanonicalName to enforce static/predefined SERVER_NAME value.

For urgent matter, lack of technical or security expertise, I invite you to have a look at CloudProtector, a Web Application Firewall that let you protect your WordPress website in one click at the price of a mobile plan. CloudProtector integrates a security policy for WordPress websites, you just have to make a simple DNS change to be protected. At least, get started with the 14-day free trial.

Xavier Quoniam, Marketing Manager on Linkedin
Xavier Quoniam, Marketing Manager
Xavier is our Marketing Manager. He is passionate about disruptive technologies that transform how companies communicate. He brings us its passion, curiosity, and fresh ideas to promote DenyAll and Cloud Protector at its best.