Drupal’s maintainers have handed users of the popular content management system (CMS) some urgent patching homework in the form of five security vulnerabilities, including two rated ‘critical’.
The headline here is simple: do not ignore Drupal updates or they’re likely to come back and bite you.
Two critical flaws
Both critical flaws allow remote code execution (RCE), the first of which is in the PHP DefaultMailSystem::mail()
backend affecting Drupal core versions 7.x and 8.x.
The advisory for SA-CORE-2018-006 describes this as relating to email variables not being sanitised for shell arguments, leading to a possible RCE.
That’s more descriptive than explanatory but a Drupal spokesperson suggested this wouldn’t be easy to exploit even if an attacker was authenticated, so success would depend on the configuration:
People do a wide variety of things with Drupal configuration and the Drupal API in site-specific custom modules. That diversity of site uses makes it hard to say for sure there are cases that an anonymous user could achieve RCE.
The second critical flaw affecting Drupal 8.x is in the contextual links module not validating contextual links although, again, an attacker would still have to have permission to access this.
The moderates
Three flaws here, the most interesting of which is the anonymous open redirect flaw affecting Drupal 8 which was made public in August by Portswigger’s James Kettle who documented how it could be used as part of a cache poisoning attack.
As Drupal’s advisory says:
Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.
A second open redirect defect, also affecting versions 7 and 8, could allow a user to enter a path to an open redirect leading to a malicious URL. Although:
The issue is mitigated by the fact that the user needs the administer paths permission to exploit.
Finally, a content moderation access bypass affecting version 8, through which “content moderation fails to check a user’s access to use certain transitions, leading to an access bypass.”
Fixing the latter required changes to ModerationStateConstraintValidator
, StateTransitionValidationInterface
, and user permissions that could, Drupal said, affect backwards compatibility in some cases.
What to do
Popular content management systems like Drupal offer hackers millions of potential targets, all of which can be reached within a few hours. Although these flaws may be hard to exploit there’s a lot in it for somebody who figures out how to do it, so applying these patches should be a priority.
What nobody wants is a repeat of the ‘Drupalgeddon 2’ cryptojacking attack in June when cybercriminals started exploiting a months-old flaw to mine Monero off the back of sites using the CMS.
Identified as CVE-2018-7600, Drupal users were warned about that flaw in March and yet that ended with hundreds of sites being compromised.
The recommendation is that if you are running 7.x, upgrade to Drupal 7.60, If you are running 8.6.x, upgrade to Drupal 8.6.2, and if you are running 8.5.x or earlier, upgrade to Drupal 8.5.8.