Mitigating the Really Simple SSL Security Vulnerability
Note: This blog has been pretty quiet for a long time. We’re looking to change that and more frequently discuss things happening at Lightning Base. There may also be some general articles about WordPress or webhosting but we will be focusing on Lightning Base and how we handle various issues or how our systems work.
Yesterday, WordFence announced a critical vulnerability in the Really Simple Security (previously called Really Simple SSL) plugin. As they note, this is one of the more serious security issues seen by WordPress users recently – it can provide full admin access to a site, is not difficult to exploit, and this plugin is very widely used, present on millions of WP installs.
Vulnerability / CVE Information
When a security issue is discovered there are various levels of severity. Security researchers use a “CVSS” score, which stands for Common Vulnerability Scoring System. It lets researchers score a vulnerability in several areas, such as how much access it provides, and how easy it is to exploit, and come up with a single number that describes the overall severity of the issue. A lot of vulnerabilities have low scores that indicate they are either unlikely to be widely exploited or provide less access if they are. But others have high scores, with the highest scores typically indicating a full site takeover is pretty trivial.
The Really Simple Security vulnerability has a CVSS score of 9.8, out of 10.0. Vulnerabilities are assigned a CVE number and placed in a database so they can be easily cross-referenced. The vulnerability seen by Really Simple SSL/Security is CVE-2024-10924 (note the format is CVE-year-vulnerability number).
The other aspect of significance is the number of sites affected. A quick shorthand for wordpress.org hosted plugins is to look at the ‘Active Installations’ number, which is the absolute minimum number of sites that have the given plugin active (it only counts those that check-in with wordpress.org). In this case 4,000,000 active installations are indicated, which is a lot.
How Lightning Base Approaches Vulnerability Announcements
Lightning Base uses a commercial service that provides webapp firewall rules to mitigate vulnerabilities. This can take a couple days before a rule is written, tested, and pushed out to all machines, but means we receive something to block exploitation of the vast majority of WordPress-related vulnerabilities before exploit is attempted.
Most vulnerabilities are in the long-tail of less-used plugins, and often with low to moderate CVE scores. When these occur, we allow our commercial ruleset to secure sites and do not take any additional action.
The Really Simple Security vulnerability was in a different category. This is not difficult to exploit, allows for full site takeover (a successful attacker can login as an admin), and impacts a plugin used by a huge number of sites. We start by looking at two things:
1. Do sites we host use this?
2.How can we resolve the issue?
Do Site We Host Run Really Simple Security?
Running a scan against our systems confirmed a meaningful percentage of sites we host have the Really Simple SSL plugin installed, which was expected. The issue specifically impacted certain versions of the plugin, some of which may not receive updates (if they are the pro version and have an expired license). The impacted versions were those at least 9.0 but less than 9.1.2. We scanned version numbers and saw the number of impacted sites drop significantly, because many were on the latest and a smaller number were too old, but there were still quite a few sites that were potentially vulnerable.
Given the number of sites active here and the severity of this issue we decided not to simply rely on our commercial feed but take action to resolve the problem same day.
How To Mitigate CVE-2024-10924
To resolve a vulnerability typically involves one of three options:
1.Ideally, the plugin is updated to a version that is not vulnerable.
2.If update is not possible, blocking the specific requests that exploit the vulnerability may be an option.
3.In some rare cases there is some other mitigation that can be made, such as preventing execution of specific files.
As a hosting provider we can force-update plugins for clients, but doing so always runs some risk that a conflict occurs and sites are broken. As a general rule we try to avoid any modification to client files without their request/authorization, so we typically look first at blocking the specific request. In some cases this is easy to do, but for this particular vulnerability I was not confident we could do so reliably (IE, without the ability for an attacker to work around the block) in a short time period while also avoiding breaking admin login for some clients. Due to this we decided to look at forced updates to Really Simple Security 9.1.2.
Force-Updating Really Simple SSL/Security
One reason force-updating was appealing is the vulnerability only applied to very recent versions. There were around 5 minor updates, all released in September of this year or later. If a WordPress site is compatible with Really Simple Security 9.0.0 or greater, it’s less likely the subsequent updates to 9.1.2, which are mostly bugfixes or minor improvements, are going to cause a problem. The release 9.0.0, however, introduced substantial changes and new features (including the two-factor authorization setup, which created this vulnerability), meaning it would typically have a higher chance of causing issues. Due to this we wanted to avoid updating copies of this plugin that were very old.
We performed a scan against all sites on our systems, detecting the versions of Really Simple Security installed. Most of these were already on 9.1.2 because they either use our auto-updates or reliably update their own sites. A process was run against the full list to eliminate those on 9.1.2 and anything <9.0.0. Then, the remaining plugins were updated to the latest version of Really Simple Security.
As always with any change to a site there is at least a small chance of a problem. Help is available 24/7 at our https://secure.lightningbase.com ticketing system if any client’s site was impacted.
Dealing with Really Simple Security Pro
We ran a separate scan to locate installs of Really Simple Security Pro and check their versions. This plugin is less widely used, and they were almost universally on the latest or on a very old copy (likely due to expired licenses), meaning the total number of vulnerable installs was in the single digits. We applied the security update to these manually.
Conclusion
It’s frustrating that significant time and effort has to go into handling security issues, but that is the reality of most anything computer-based today. Lightning Base does what it can to help keep client sites safe, and took aggressive action in this case due to the widespread and severe nature of the Really Simple Security vulnerability.
This is something we have done for years, going back to problems with timthumb that caused the exploitation of huge numbers of WP installs in the early 2010’s. One of our first security successes was limiting that issue to just a handful of sites on our systems by getting protection in place for everyone. This was before security was really on the radar of most WP users, and we try to keep up that tradition today.
If you have any questions about this post, don’t hesitate to comment!