A Critical Flaw in LiteSpeed Cache: CVE-2024-44000
A critical severity vulnerability has been discovered in LiteSpeed Cache, a popular caching plugin used by over 6 million WordPress sites. The flaw, tracked as CVE-2024-44000, allows unauthenticated attackers to take complete control of vulnerable websites.
The vulnerability was discovered by Patchstack’s Rafie Muhammad on August 22, 2024, and a fix was released with LiteSpeed Cache version 6.5.0.1 on September 4, 2024.
How the Vulnerability Works: Exploiting Debug Logging
The vulnerability stems from the plugin’s debug logging feature. When enabled, this feature logs all HTTP response headers, including the “Set-Cookie” header, to a file named ‘/wp-content/debug.log’. These headers contain session cookies used to authenticate users.
If an attacker can access this debug log file, they can steal the session cookies of logged-in users and impersonate them, gaining full control of the website.
Exploiting the Vulnerability: Accessing the Debug Log
To exploit the vulnerability, an attacker must be able to access the debug log file. This is possible if no file access restrictions (such as .htaccess rules) are implemented. The attacker can simply enter the correct URL to access the file.
While the attacker can only steal session cookies of users who logged in while the debug feature was active, this includes past login events if the logs are not regularly wiped.
LiteSpeed Technologies’ Patch: Mitigating the Vulnerability
LiteSpeed Technologies, the plugin’s vendor, addressed the vulnerability by taking the following steps:
- Moving the debug log to a dedicated folder: The debug log is now located in ‘/wp-content/litespeed/debug/’.
- Randomizing log filenames: The filenames of the debug logs are now randomized to make them harder to guess.
- Removing the option to log cookies: The debug logging feature no longer logs cookies.
- Adding a dummy index file: A dummy index file is added for extra protection.
Urgent Action Required: Protecting Your WordPress Site
Users of LiteSpeed Cache are strongly advised to take the following steps to protect their websites:
- Purge all ‘debug.log’ files: Delete any existing ‘debug.log’ files from their servers to remove potentially valid session cookies that could be stolen.
- Implement an .htaccess rule: Create an .htaccess rule to deny direct access to the log files. This is crucial as the new randomized filenames can still be guessed through brute-forcing.
- Update LiteSpeed Cache: Update to the latest version (6.5.0.1 or later) to benefit from the fix.
The Impact: Millions of Vulnerable Sites
WordPress.org reports that over 375,000 users downloaded LiteSpeed Cache on September 4, 2024, the day the fix was released. This means that millions of websites remain vulnerable to this attack.
LiteSpeed Cache has been a target for hackers due to its popularity and vulnerabilities. In May 2024, hackers exploited an unauthenticated cross-site scripting flaw (CVE-2023-40000) in an outdated version of the plugin to create administrator users and take control of websites.
In August 2024, another critical unauthenticated privilege escalation vulnerability (CVE-2024-28000) was discovered, allowing attackers to easily gain control of websites. This vulnerability was exploited by attackers within hours of its disclosure, with Wordfence reporting nearly 50,000 attacks blocked.
The LiteSpeed Cache vulnerability highlights the importance of staying up-to-date with security patches and implementing robust security measures. WordPress users should always prioritize security and take immediate action to address vulnerabilities.