CVE-2020-11738

2020-04-1300:00:00

attackerkb.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.972 High

EPSS

Percentile

99.8%

JSON

The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via …/ in the file parameter to duplicator_download or duplicator_init.

Recent assessments:

kevthehermit at April 14, 2020 2:38pm UTC reported:

This plugin is recorded as having over 1 Million installations via Wordpress – <https://wordpress.org/plugins/duplicator/>
It has a free and a pro version with both being impacted.

Other reporting suggests that there are around 170,000 active installations. with ~ 150,000 of these not on the latest version.

The vulnerability allows arbitrary file read of any file on disk in the context of the web application. This kind of attack can lead to further compromise depending on its setup and configuration. Using this level of access can lead to database credentials being compromised which in turn can lead to further exploitation.

This exploit has been seen in active campaigns as reported by wordfence – <https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/>

IOC’s Shared by wordpress and replicated here for ease of discovery.

Indicators Of Compromise (IOCs)
The following Indicators of Compromise (IOCs) can be used to determine if your site may have been attacked.

Traffic logged from the threat actor’s IP address should be considered suspicious:

77.71.115.52
- Attacks in this campaign are issued via GET requests with the following query strings:
action=duplicator_download
- file=/…/wp-config.php
- Note: Because this vulnerability can be exploited via WP AJAX, it’s possible to exploit via POST request. In this case, it’s possible for the action parameter to be passed in the POST body instead of the query string. This will prevent the action=duplicator_download string from appearing in HTTP logs. The file parameter must be passed as a query string, however, and is a reliable indicator.