Posts

VULNERABILITY – Symfony Component Vulnerability Impacting Drupal

In April of this year, attackers began exploiting two critical vulnerabilities in Drupal, a common open source website content-management system. The vulnerabilities were dubbed Drupalgeddon2 (CVE-2018-7600) and Drupalgeddon3 (CVE-2018-7602). This month, a new flaw was recently discovered in Drupal, this time residing in Symfony HttpFoundation, a component of a third party library used in Drupal Core. CVE-2018-14773, which is how it is the new CVE assigned for this bug, was found to be affecting Drupal 8.x versions before 8.5.6.

Symfony released an advisory, explaining how the flaw originates from the component’s support for legacy IIS header. As a trigger, a remote attacker would have just to employ specially crafted “X-Original-URL” or an “X-Rewrite-URL” HTTP request header. This would allow to override the path in the request URL, thus accessing a different URL which leads to restrictions’ bypass.

According to the advisory the vulnerability was patched in the versions 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3 of the Symfony HttpFoundation component, while Drupal has also fixed the issue in the 8.5.6 version.

The Drupal team also warned of a similar vulnerability affecting the Zend Feed and Diactoros libraries included in Drupal Core, dubbed ‘URL Rewrite vulnerability’. However, Drupal confirmed they do not use the vulnerable functionality, but still recommends to fix it on sites and modules directly utilizing either library.

Proficio Threat Intelligence Recommendations:

  • Update your vulnerable site with the latest patch, available at symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers or drupal.org/SA-CORE-2018-005
  • Administrators of websites using the Zend Feed or Diactoros directly are advised to patch the ‘URL Rewrite vulnerability’, by reading the Zend Framework security advisory available at framework.zend.com/security/advisory/ZF2018-01

General Information – Click Here

Vulnerability: CVE-2018-7600 – Drupal core – Remote Code Execution

A vulnerability has been discovered that could allow criminals to execute code remotely on websites that are running Drupal. Drupal is a Content Management System (CMS) that is used by more than 1 million websites worldwide. According to W3techs.com, Drupal is third most popular CMS, only behind Joomla and WordPress.

The discovered vulnerability can be exploited by an input validation issue that allows unsanitized data to enter Drupal’s data space. Drupal warns that an unprivileged and untrusted attacker could compromise the site and modify or delete data hosted on affected CMS platforms.

Due to the high criticality of the vulnerability, Drupal informed website administrators a week prior that important fixes would be coming soon.The idea was to attempt to stay ahead of potential attackers who could quickly develop code that would exploit Drupal websites once made aware of the vulnerability.

Drupal has since released updates to patch the vulnerability and recommends users who have deployed the Content-Management Framework to immediately update to versions 7.58 or 8.5.1. Although Drupal versions 8.3.x and 8.4.x are no longer supported, Drupal has released an out-of-band patch that would fix the highly critical security issue in updates 8.3.9 and 8.4.6.

Proficio Threat Intelligence Recommendations:

  • Immediately update Drupal to versions 7.58 or 8.5.1

General Info – Click Here

Drupals FAQ surrounding CVE-2018-7600 – Click Here