Three New Critical Drupal Vulnerabilities: Is Your Site Affected?
In the past 24 hours, the Drupal team has released a fix for three critical vulnerabilities. Gravityscan now has detection for these three issues, so if you run Drupal, scan your site immediately with Gravityscan to find out if you are vulnerable.
If you run Drupal on any of your websites, we strongly recommend that you immediately update to Drupal 8.3.4 or Drupal 7.56, both of which contain fixes for the following three serious vulnerabilities:
CVE-2017-6920: PECL YAML parser unsafe object handling leads to remote code execution
According to the Drupal team, “PECL YAML parser does not handle PHP objects safely during certain operations within Drupal core. This could lead to remote code execution.”
The fix that the Drupal core team has released is likely due to this vulnerability, which was discovered in the yaml_parse functions in the YAML PHP extension: https://bugs.php.net/bug.php?id=69617
They discovered that attackers can perform object-injection attacks if they can submit unsafe data to an application, which is then passed to YAML parsing functions within the YAML PECL extension. The maintainers of this module considered this a documentation bug, and modified their documentation to indicate that developers should not pass unsanitized user-submitted data to these functions.
It looks like the Drupal dev team has now reacted to this PHP advisory and has modified their use of these functions within Drupal to prevent exploitation. Both Drupal 8.3.4 and Drupal 7.56 fix this issue.
It’s worth noting that in 2013, Ruby on Rails similarly suffered from a particularly bad YAML object-injection vulnerability. This further highlights the need to update your Drupal installation as soon as possible to project yourself against exploitation of this vulnerability.
CVE-2017-6922: Files uploaded by anonymous users into a private file system can be accessed by other anonymous users
This release also fixes a vulnerability in Drupal that allows anonymous users to upload files into a directory that the site owners intend to be private and inaccessible. However, the vulnerability makes it so that those files can then be accessed by anyone on the Internet. This allows hackers to upload malicious files to a Drupal site, and then use that site to host those files, which are then accessible by anyone on the Internet.
A spammer can, for example, upload an image to a Drupal site and then send out an email spam campaign that loads the image from the victim site. A Drupal site targeted this way may be inundated with traffic, or have its reputation negatively impacted through inclusion in a spam campaign or other malicious campaign. This is also a huge liability concern for any site that allows its legitimate users to upload documents containing sensitive or private data under the assumption that the information in those documents will remain private.
The Drupal core team has been aware of this issue since October last year, when they published an advisory. Both Drupal 8.3.4 and Drupal 7.56 fix this issue.
CVE-2017-6921: File REST resource does not properly validate some fields when manipulating files
According to the Drupal core team:
“The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource.”
The Drupal core team did not include any more details other than the above quote. However, if we unpack that statement, it becomes clear that this vulnerability can only be exploited if a site meets all of the following conditions:
- The victim site has the REST module enabled in Drupal.
- The file REST resource is enabled and allows “PATCH” requests.
- An attacker can get or register a user account on the site with permissions to upload files.
- That same account also has the ability to modify the file resource.
What To Do
If you run a Drupal site, visit www.gravityscan.com now and run a free scan to determine if you are affected by this vulnerability. No registration is required.
We recommend that you install the Gravityscan Accelerator before running a scan. This will allow Gravityscan to scan all your website files and detect if you have any old Drupal installations you might have forgotten about that may be vulnerable. We will also pick up any other vulnerabilities you may have on other software on your server, such as WordPress and Joomla.
Update all your Drupal installations to Drupal 8.3.4 or Drupal 7.56 – both of these updates fix all of these vulnerabilities.
You can find the full announcement from the Drupal core team on this page.