Plugin supply chain security considerations

wet · 2024-06-29 11:57:47

Yesterday I received a message from WordPress.org Plugin Directory stating that “We identified that some plugin authors were reusing passwords exposed in data breaches elsewhere. […] attackers used recycled passwords to add malicious code to a few plugins on the WordPress.org Plugin Directory.”

This supply chain security breach was discovered by WordFence¹.

The attack vector was a very sophisticated, year-long trust attack on the sole maintainer of XZ Utils, a core component of a number of critical IT infrastructure components.

As one IT security professional I know told me, supply chain attacks are on the rise. This attack vector could apply to plugin authors as well as plugin installers.

Although we are not in a position to control a monopolistically large part of the web, which is run by partially inexperienced or technically agnostic site owners, I think it would be beneficial to be very aware of how the other forces work these days.

Personally, I was very surprised by the sophistication and effort that went into this attack.

¹ www.wordfence.com/blog/2024/06/an-inside-look-at-the-malware-and-techniques-used-in-the-wordpress-org-supply-chain-attack/, www.wordfence.com/blog/2024/06/3-more-plugins-infected-in-wordpress-org-supply-chain-attack-due-to-compromised-developer-passwords/

Bloke · 2024-06-29 12:49:14

An intriguing read. Thanks for raising it.

If there are libraries upon which we depend and pull in from Composer that get compromised, we could have a problem in Textpattern core too.

gaekwad · 2024-06-29 21:36:43

I have a background task of integrating VirusTotal into our Github CI builds so we have something in place when commits hit the pipes. I’ll push this up the priority queue for testing.

wet · 2024-06-30 11:33:54

Pete, I’ve taken the liberty of throwing this issue to an infosec pro I know to see what sticks.

His response, roughly translated into a language I understand a little, was:

VirusTotal uses signature matching AFAIK, which would probably be of little effectiveness given our threat model.
Try SonarQube for source code analysis, including SAST for each commit/merge.
Try DAST with e.g. OWASP ZAP on a freshly deployed demo installation each time for dynamic testing.

Ring any bells? Me neither ;) If they do, I can (step #1) relay any requests and (step #2) get out of the way if desired.

gaekwad · 2024-07-01 12:37:35

Thanks, Robert.

SonarQube and ZAP look interesting, I’ll investigate those.

I’ve got PHPStan on my list for static analysis, and a small heap of other bits & pieces after Textpattern 4.9.0 lands.

A spare week or two would be really very helpful, but I’ll find time as it appears!

agovella · 2024-07-05 00:01:09

gaekwad wrote #337359:

…after Textpattern 4.9.0 lands.

wait… what? Is 4.9 close?

colak · 2024-07-05 04:58:19

agovella wrote #337369:

wait… what? Is 4.9 close?

I’ve been using the dev versions for some time without any issues.

Bloke · 2024-07-05 09:27:02

agovella wrote #337369:

wait… what? Is 4.9 close?

It’s been close for about 6 months 😳

Just waiting on one CSS fix on the Plugins panel to filter through. Or revert the code that needs it for now.

wet · 2024-07-10 04:10:03

Having seen the XZ sabotage, some of them are now taking a deep breath and thinking, “OK, I guess I won’t be retiring anytime soon then…” Others are wistfully thinking, “I’d happily do this for the next 30 years, but I have a mortgage to pay.” […]
The best we can hope for, of course, is to convince companies, institutions, and governments that it would be a really good idea to cut monthly checks for those people who maintain the software that these organizations absolutely depend upon.

Poul-Henning Kamp: The Expense of Unprotected Free Software

Algaris · 2024-07-10 08:02:15

That was an interesting read and I agree 100% with the articles author. We had a lucky escape. Who’s to say next time we will be as lucky? The people who maintain these systems we rely should be recognised and compensated for their work.

Textpattern CMS

Textpattern CMS support forum

#1 2024-06-29 11:57:47