Recently published blog posts:
Go to the blog archive and browse all previous blog posts
we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to
date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date
and get notified about new whitepapers.
Report an incident:
The following email address can be considered as point of
contact for FIRST members and other
Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support)
Published on June 8, 2015 10:48 UTC by GovCERT.ch (permalink)
Last updated on June 8, 2015 10:52 UTC
The internet has grown very fast in the past 15 years. Thousands of new websites are going online every day. According to Netcraft, there are currently more than 850'000'000 active websites in the internet (May 2015). One of the reasons why the number of websites has grown that much is the use of content management systems (CMS), for example WordPress, Typo3, Joomla and Durpal. By using a CMS, you can easily publish content in the internet without needing IT knowledge. In addition, you have a vast amount of plugins available for CMS allowing you to customize your website in the way you want. Hence, content management systems (CMS) are being used by many small and medium enterprises (SME) but also by hobby webmasters which want to have a website for e.g. their sport club.
While CMS are something great, they are also a valuable target for hackers. In April 2015, we tweeted about a vulnerability in WordPress that allows a miscreant to launch a Cross-Site-Scripting attack (XSS) against any website running a vulnerable version of WordPress by posting a comment with malicious java script in it (CVE-2015-3440). On the same day the vulnerability has been made public, WordPress released a security update (WP 4.2.1) to fix it.
Unfortunately, the security fix didn't last long. On May 6th 2015, another vulnerability (CVE-2015-3429) has been made public which allows an attacker to launch a cross-site-scripting attack (XSS) against websites running WordPress. According to Sucuri, the vulnerability has already been exploited in the wild before WordPress was even able to release a security update. The vulnerability also exists in JetPack, a popular WordPress plugin that has, according to WordPress.org, more than one million active installs. This vulnerability has been revealed on May 6th, 2015. WordPress released a security update on May 7th 2015 to fix it. Today, one month later, thousands of websites in Switzerland are still unpatched and vulnerable.
According to nic.ch, there have been 1'939'115 domain names registered within the swiss name space (ccTLD .ch) by end of March 2015. At least 124'000 of those (~6.4%) are running WordPress. Checking the WP version of these websites, we see that more than 70% of all .ch websites that are running WordPress appear to use an outdated version of WordPress and are therefore very likely vulnerable to the attacks described above.
Breaking it down to the CVE (CVE-2015-3440 - Stored XSS vulnerability in WP, CVE-2015-3429 - XSS vulnerability in WP and JetPack), the situation looks as follow:
These statistics are based on the WordPress version used. Further investigation would be necessary in order to determine if these websites are vulnerable or not (or whether they are e.g. protected by Web Application Firewalls that would block these kind of attacks). However, it is very likely that they are at risk, since they are using an outdated version of WordPress that is known to be vulnerable to these attacks.
Based on the reports GovCERT.ch received from partners, we can say that more than 5'000 websites are confirmed to be vulnerable to CVE-2015-3440. That is nearly 5 times more than the number of vulnerable Magento installations in Switzerland we have reported in April 2015. Today, GovCERT.ch has started the notification process for these websites by informing the responsible hosting providers about affected customers running an outdated (vulnerable) version of WordPress.
Unfortunately, we believe that this is just the tip of the iceberg. As stated earlier in our blog post, there are several other CMS available beside WordPress. We are assuming that the situation doesn't look better there either. So the question that remains is: Why are there so many websites out there running a vulnerable version of a CMS? One explanation would be that CMS are victims of their own success: A CMS makes it easy for everyone to publish websites on the internet, even for people who have no knowledge in IT. They likely do not know that they need to patch their CMS as they are (hopefully) already used to on their Desktop PC. Like a car that needs a frequent check, you should check if the CMS you are using is up to date and patched.
If you are running a content management system (CMS) such as WordPress, Typo3, Joomla or Durpal, we highly recommend you to make sure that you are running the most recent version. Further tips and measures to secure your content management systems (CMS) can be found on the MELANI website:
Measures to secure Content Management Systems (English)
Massnahmen zum Schutz von Content Management Systemen (Deutsch)
Mesures de prévention pour les systèmes de gestion de contenu (French)
Misure per contribuire alla sicurezza dei sistemi di gestione dei contenuti (Italian)
Back to top