Security Through Ephemerallity

Posted: 14th Jul 2020

The Craft CMS community has recently been under siege by attackers exploiting a recent security issue in the well-adopted plugin SEOmatic.

The specifics of the vulnerability have been covered elsewhere in detail so I won't hark on about that.

But I will take a moment to say this vulnerability is critical - it gives attackers access to all of your site's files and database data. Fix it by updated your Craft project to the latest version of SEOmatic now.

Instead, let's discuss a feature of Servd which is an intrinsic benefit and vastly reduces the impact that attacks like this can have.

When an attacker tries to hack your website there are two things they need to do:

  1. Find a way in so they can make changes
  2. Persist those changes so they stick around

In the SEOmatic hack, Part 1. was achieved by attackers who carefully crafted requests which would allow them to run arbitrary code on the server. This code then gave them full access to the server's filesystem and all of its running services.

Many of the attackers used this access to make changes to the files they found. Some installed software which would mine crypto currency and even left scripts behind which would re-install that software if anybody tried to delete it. Other attackers changed Craft's framework files to inject links and metadata into pages which would influence SEO rankings of other sites.

There are likely other, unreported hacks in which the attacker has simply left a backdoor - which will still exist long after SEOmatic has been updated - waiting to be used to add the server to a botnet at some point in the future.

The thing that all of the attacks have in common is that they leave changes on the filesystem in order to persist. Undoing those changes if often difficult as they are likely to masquerade as common files or exists as multiple components which will self heal if any part is removed.

Servd has a super-weapon in the fight against these types of attacks:

Whenever you deploy your project, the entire filesystem is reset.

We call this an ephemeral filesystem as the files it contains only exist temporarily.

This sounds like it might break a lot of things, but as part of Servd's bundling process we make several changes to your Craft project in order to make sure it feels right at home in this kind of environment.

The only drawback is that local filesystem asset volumes aren't possible, because all of your uploaded assets would be deleted every time you perform a deploy! That's why we provide the Servd Assets Platform for all projects to use.

But, back to the point... If an attacker's changes are reset whenever you perform a deployment, undoing their changes is as easy as clicking the 'Sync' button in the Servd dashboard.

After this process has completed any changes made to the filesystem will have been removed. That is a lot simpler than trying to track down all of the files, processes, cronjobs and other things that might have been left behind!

Not only can these changes be undone by a simple deployment - this process is actually performed on your behalf if Servd detect a problem with your project. For instance, if a cryptocurrency miner were to begin using 100% CPU within a hacked project, Servd would immediately detect the issue and cycle the deployment - automatically undoing the change that caused things to break.

Although ephemeral filesystems are unusual, and take a little bit of getting used to, hopefully now one of their major benefits is clear too!

P.S Update SEOmatic

If trawling through files trying to find things that may or may not have been hacked sounds like a chore you don't need, give Servd and its ephemeral filesystems a try.