Vulnerability Exploited in LiteSpeed Cache Plugin (23rd August 2024)

Ref# AL2024_33 Critical | Date: Aug 23rd 2024

Description

Hackers have begun exploiting a critical vulnerability in the LiteSpeed Cache plugin, a popular tool used by WordPress websites to enhance performance by accelerating response times. The flaw, tracked as CVE-2024-28000, affects all versions of the plugin up to 6.3.0.1 and allows unauthorized privilege escalation. This vulnerability poses a severe risk, as it can lead to complete takeover of websites running the vulnerable plugin.

Details

The vulnerability arises from a weak hash check in the plugin’s user simulation feature, which attackers can exploit by brute-forcing the hash value. By doing so, they can create rogue administrator accounts through the WordPress REST API, gaining full control over the affected website. The method, demonstrated by security researcher Rafie Muhammad, involves cycling through 1 million possible security hash values at a rate of three requests per second. Depending on server response time, the attack can succeed in gaining site access in as little as a few hours or up to a week.

Indicators of Compromise (IoCs)

Organizations should monitor for the following indicators of compromise:

  • Unexpected creation of new administrator accounts. 
  • Unusual or unauthorized changes to site settings or plugin configurations. 
  • Installation of unfamiliar or malicious plugins. 
  • Redirects to malicious websites. 
  • Unauthorized access to or exfiltration of user data.

Remediation

To protect against this vulnerability, users of the LiteSpeed Cache plugin are strongly advised to update to the latest version (6.4.1) immediately. For those unable to update, the plugin should be uninstalled to mitigate the risk. Additionally, website administrators should monitor for any signs of compromise, such as unauthorized account creation or unexpected changes to site configurations. Implementing additional security measures, such as rate limiting and monitoring REST API access, can also help reduce the risk of exploitation.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Critical Vulnerability Exploited in LiteSpeed Cache Plugin

References