{"id":2781,"date":"2022-03-31T11:22:03","date_gmt":"2022-03-31T10:22:03","guid":{"rendered":"https:\/\/blog.outscale.com\/?p=2781"},"modified":"2022-03-31T11:47:03","modified_gmt":"2022-03-31T10:47:03","slug":"dealing-with-a-0-day-vulnerability-behind-the-scenes","status":"publish","type":"post","link":"https:\/\/blog.outscale.com\/en\/dealing-with-a-0-day-vulnerability-behind-the-scenes\/","title":{"rendered":"Dealing with a 0-Day Vulnerability: Behind the Scenes"},"content":{"rendered":"

Learn how 3DS OUTSCALE runs its Bug Bounty program and go behind the scenes of a recent CVE (Common Vulnerabilities and Exposures) publication.<\/strong><\/p>\n

 <\/p>\n

Bug Bounty at 3DS OUTSCALE<\/strong><\/p>\n

3DS OUTSCALE, as an IaaS Cloud provider, is looking for any security-oriented feedback. For this purpose, we opened our Bug Bounty program on the YesWeHack platform<\/a> in 2016. Security researchers are encouraged to hunt for bugs on our public IaaS platform, especially on the API and the Cockpit web interface.<\/span><\/p>\n

We want them to find any ways of bypassing segregation measures, or anything impacting their customer experience or the infrastructure itself! To make it possible, we provide security researchers access to a Cloud account that will allow them to test our infrastructure as if they were regular customers. With limited but sufficient quotas, they may spawn private LANs, virtual machines and manage CPUs, RAM, security groups, etc.<\/span><\/p>\n

 <\/p>\n

Practical Case: Vulnerability in a WordPress Plugin<\/strong><\/p>\n

In 2021, a security researcher (<\/span>0xspade<\/a>) submitted a report on our YesWeHack program. This report pointed out an endpoint (a web address at which users can send requests to perform specific actions) on our official website that was not properly escaping input data. The researcher proved that sending some altered data to this endpoint could lead to local code execution. In short, we were facing an XSS vulnerability.<\/p>\n

At 3DS OUTSCALE, we use WordPress to power some of our official websites. We had to conduct an investigation to find out which part of the source code was vulnerable, because WordPress works with plugins, which all have their own logic. This investigation led us to apply a hotfix on our servers while waiting for an official patch from the editor. The technical details can be found in the last part of this article.<\/span><\/p>\n

After a first unsuccessful contact with the plugin editor, we decided to contact ANSSI<\/a> (the National Cybersecurity Agency of France) as well as WPScan<\/a>, which is a French CNA<\/a> (CVE Numbering Authority) specialized in vulnerabilities that can be found within the WordPress ecosystem.<\/span><\/p>\n

WPScan notably offers a vulnerability scanner as a plugin\/CLI, and maintains a database of all vulnerabilities affecting WordPress and its plugins. They were therefore the right contact to help us move forward, acting as our intermediary between the editor and the marketplace during the whole process.<\/span><\/p>\n

They helped us make the editor realize the severity of the vulnerability and gave them some time to release patches that fixed the problem. We methodically followed the steps and carried out the process successfully.<\/span><\/p>\n

Ultimately, two CVEs were created regarding this issue. They were recently published under the references CVE-2021-24814<\/a> and CVE-2022-0220<\/a>.<\/span><\/p>\n

Official advisories are available here:<\/span><\/p>\n