Drupal Critical Vulnerabilities Exploit (SA-CORE-2018-002)

Submitted by dryer on Wed, 03/28/2018 - 18:09
Drupal Critical Vulnerability Exploit (SA-CORE-2018-002)

Drupal is a content management system often used for Enterprise Content Management Projects. The tool is large and has integrated features such as a database entity system, which leaves it open to lots of attack vectors because of the large API surface.Without a central authority like Acquia handling security updates, things can be difficult to patch and there will be vulnerable installs as was the case with Drupalgeddon in 2014.

On March 28th the Drupal Security team announced multiple vulnerabilities in supported Drupal Versions 7 and 8. The vulnerability lies deep in the Core of Drupal CMS and thus makes every Drupal installation vulnerable. The exact nature of the vulnerability is not known, but it is likely that the vulnerability will allow access to the filesystem or database.

The individual issues in this batch of security issues in Drupal versions 7 an 8 are:

  • Comment reply form allows access to restricted content - Critical - Drupal 8 - CVE-2017-6926

  • JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8 - CVE-2017-6927

  • Private file access bypass - Moderately Critical - Drupal 7 - CVE-2017-6928

  • jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7 - CVE-2017-6929

  • Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8 - CVE-2017-6930

  • Settings Tray access bypass - Moderately Critical - Drupal 8 - CVE-2017-6931

  • External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7 - CVE-2017-6932

Drupalgeddon Redux

By exploiting Drupal vulnerabilities attackers can make sensitive user data available publicly. This is similar to what happened when a vulnerable version of Drupal was used at Mossack Fonseca, leading to the largest financial papers leak in the history of man. Drupal is not a capable platform for sophisticated applications like Facebook, so similar large scale personal data leak such as the Cambridge Analytica leak is not possible.

Popular web application platforms like Drupal are well known and widely deployed, making them easy to exploit. As opposed to the Meltdown and Spectre vulnerabilities, which required expertise. The Drupal vulnerability is much easier to exploit as the upgrade process is not prompted automatically, and machines are always connected. This is a downside of popular platforms, especially ones that can be crawled automatically as WordPress bots are often working.

More details from Drupal.org site: https://www.drupal.org/sa-core-2018-001