Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2024-06-29 11:57:47

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,327
Website Mastodon

Plugin supply chain security considerations

Yesterday I received a message from WordPress.org Plugin Directory stating that “We identified that some plugin authors were reusing passwords exposed in data breaches elsewhere. […] attackers used recycled passwords to add malicious code to a few plugins on the WordPress.org Plugin Directory.”

This supply chain security breach was discovered by WordFence1.

The attack vector was a very sophisticated, year-long trust attack on the sole maintainer of XZ Utils, a core component of a number of critical IT infrastructure components.

As one IT security professional I know told me, supply chain attacks are on the rise. This attack vector could apply to plugin authors as well as plugin installers.

Although we are not in a position to control a monopolistically large part of the web, which is run by partially inexperienced or technically agnostic site owners, I think it would be beneficial to be very aware of how the other forces work these days.

Personally, I was very surprised by the sophistication and effort that went into this attack.

1 www.wordfence.com/blog/2024/06/an-inside-look-at-the-malware-and-techniques-used-in-the-wordpress-org-supply-chain-attack/, www.wordfence.com/blog/2024/06/3-more-plugins-infected-in-wordpress-org-supply-chain-attack-due-to-compromised-developer-passwords/

Offline

#2 2024-06-29 12:49:14

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,299
Website GitHub

Re: Plugin supply chain security considerations

An intriguing read. Thanks for raising it.

If there are libraries upon which we depend and pull in from Composer that get compromised, we could have a problem in Textpattern core too.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#3 2024-06-29 21:36:43

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,153
GitHub

Re: Plugin supply chain security considerations

I have a background task of integrating VirusTotal into our Github CI builds so we have something in place when commits hit the pipes. I’ll push this up the priority queue for testing.

Offline

#4 2024-06-30 11:33:54

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,327
Website Mastodon

Re: Plugin supply chain security considerations

Pete, I’ve taken the liberty of throwing this issue to an infosec pro I know to see what sticks.

His response, roughly translated into a language I understand a little, was:

  • VirusTotal uses signature matching AFAIK, which would probably be of little effectiveness given our threat model.
  • Try SonarQube for source code analysis, including SAST for each commit/merge.
  • Try DAST with e.g. OWASP ZAP on a freshly deployed demo installation each time for dynamic testing.

Ring any bells? Me neither ;) If they do, I can (step #1) relay any requests and (step #2) get out of the way if desired.

Offline

#5 2024-07-01 12:37:35

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,153
GitHub

Re: Plugin supply chain security considerations

Thanks, Robert.

SonarQube and ZAP look interesting, I’ll investigate those.

I’ve got PHPStan on my list for static analysis, and a small heap of other bits & pieces after Textpattern 4.9.0 lands.

A spare week or two would be really very helpful, but I’ll find time as it appears!

Offline

#6 2024-07-05 00:01:09

agovella
Member
From: Houston, TX
Registered: 2005-05-01
Posts: 66
Website Twitter

Re: Plugin supply chain security considerations

gaekwad wrote #337359:

…after Textpattern 4.9.0 lands.

wait… what? Is 4.9 close?

Offline

#7 2024-07-05 04:58:19

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,037
Website GitHub Mastodon Twitter

Re: Plugin supply chain security considerations

agovella wrote #337369:

wait… what? Is 4.9 close?

I’ve been using the dev versions for some time without any issues.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#8 2024-07-05 09:27:02

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,299
Website GitHub

Re: Plugin supply chain security considerations

agovella wrote #337369:

wait… what? Is 4.9 close?

It’s been close for about 6 months 😳

Just waiting on one CSS fix on the Plugins panel to filter through. Or revert the code that needs it for now.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#9 2024-07-10 04:10:03

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,327
Website Mastodon

Re: Plugin supply chain security considerations

Related article:

Having seen the XZ sabotage, some of them are now taking a deep breath and thinking, “OK, I guess I won’t be retiring anytime soon then…” Others are wistfully thinking, “I’d happily do this for the next 30 years, but I have a mortgage to pay.” […]
The best we can hope for, of course, is to convince companies, institutions, and governments that it would be a really good idea to cut monthly checks for those people who maintain the software that these organizations absolutely depend upon.

Poul-Henning Kamp: The Expense of Unprotected Free Software

Offline

#10 2024-07-10 08:02:15

Algaris
Member
From: England
Registered: 2006-01-27
Posts: 541

Re: Plugin supply chain security considerations

That was an interesting read and I agree 100% with the articles author. We had a lucky escape. Who’s to say next time we will be as lucky? The people who maintain these systems we rely should be recognised and compensated for their work.

Offline

Board footer

Powered by FluxBB