Check Point Security Researchers Discover Critical Vulnerability in MediaWiki Platform
Check Point Vulnerability Research Group, 01/28/2014
Check Point vulnerability researchers have discovered a critical vulnerability in the popular MediaWiki Web platform, which is used to run Wikipedia and tens of thousands of other ‘wiki’ sites around the world. This vulnerability allows an attacker to perform remote code execution (RCE) and appears to affect all versions of MediaWiki from 1.8 onwards.
Check Point promptly alerted the WikiMedia Foundation to the presence of this vulnerability, and after verifying it the Foundation released a software update to correct the issue. Prior to the availability of a patch for this vulnerability, an attacker could have injected malicious code into every page in Wikipedia.org, as well as into any other internal or Web-facing wiki site running on MediaWiki.
On 28th January, the WikiMedia Foundation announced the availability of an update for the MediaWiki software to address this issue and recommended that all customers apply the patch as soon as possible. At the same time, Check Point has delivered updated Intrusion Prevention System (IPS) protections via ThreatCloud to detect and block attempts to exploit this vulnerability.
A vulnerability with global impact Check Point’s Vulnerability Research Group regularly performs assessments of common software to ensure the security of Internet users worldwide. During a recent assessment, Check Point researchers discovered a critical vulnerability in the MediaWiki Project Web platform. This vulnerability affects all versions of MediaWiki from 1.8 onwards.
MediaWiki is an extremely popular open-source Web platform used to create and maintain ‘wiki’ Web sites, collaborative sites in which users are able to add, modify and delete content. The largest and best-known site using the MediaWiki platform is Wikipedia.org and the rest of the WikiMedia foundation. Wikipedia.org is the sixth most-visited web site in the world, with over 94 million unique visitors per month and almost 2 million sites linking to it. MediaWiki also serves as the infrastructure for tens of thousands of wiki Web sites, Internet-facing as well as internal.
An attacker who successfully exploits this vulnerability is able to perform remote code execution (RCE) on the application server. RCE describes the ability of an unauthorized user to access a system from anywhere in the world, including making file and system changes and running programs on the target system in order to gain complete control.
Since 2006, only two other RCE vulnerabilities have been discovered in the MediaWiki platform. This vulnerability will be highly prized by the hacker community and quickly turned into attacks that can be aimed at organizations that have yet to apply the patch or implement another form of defense, such as intrusion prevention.
“It only takes a single vulnerability on a widely adopted platform for a hacker to infiltrate and wreak widespread damage. The Check Point Vulnerability Research Group focuses on finding these security gaps and deploying the necessary real-time protections to secure the Internet. We’re pleased that the MediaWiki platform is now protected against attacks on this vulnerability, which would have posed great security risk for millions of daily ‘wiki’ site users,” said Dorit Dor, vice president of products at Check Point Software Technologies.
This vulnerability has been assigned CVE-2014-1610 by the MITRE organization. In order for a site to be vulnerable, a specific non-default setting must be enabled in the MediaWiki settings. While the exact extent of affected organizations is unknown, this vulnerability was confirmed to impact some of the largest known MediaWiki deployments in the world, including Wikipedia.org. Prior to the availability of a patch for this vulnerability, an attacker could have injected malware infection code into every page in Wikipedia.org, as well as into any other internal or Web-facing wiki site running on MediaWiki with the affected settings.
Check Point has delivered updated protections via ThreatCloud to detect and block attempts to exploit this vulnerability. ThreatCloud is a collaborative network and cloud-driven knowledge base that delivers real-time dynamic security intelligence to security gateways. That intelligence is used to identify emerging outbreaks and threat trends, and automatically update the protections of Check Point gateways deployed around the globe.
Recommendations: Protecting your organization Check Point customers who have enabled the Intrusion Prevention System (IPS) blade on their Check Point gateways have automatically received updated protections through ThreatCloud and are protected from attacks against this vulnerability.
Organizations running MediaWiki for internal or Web-facing sites should read the MediaWiki advisory and prepare to apply the update as soon as possible, as well as follow any additional mitigation guidance from the WikiMedia Foundation.