[kwlug-disc] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002
Khalid Baheyeldin
kb at 2bits.com
Wed Mar 28 17:39:56 EDT 2018
Not really.
By the same logic one should stop using AMD and Intel. The CPU
vulnerabilities are bad, and cannot be patched since they are in the
silicon.
The issue here is that this was a vulnerability that is theoretical (i.e.
it was not used by a malicious party before the disclosure) yet remotely
exploitable.
Now that it is out in the open, exploits will definitely be developed.
This is unavoidable in a full disclosure environment like all open source
projects do, where anyone can do a diff between 7.57 and 7.58 and infer
what the vulnerability is, and write exploit code.
On Wed, Mar 28, 2018 at 4:49 PM, Chris Craig <kwlug.org at ciotog.net> wrote:
> Sounds like a reason to stop using drupal...
>
> On 28 March 2018 at 16:41, Paul Nijjar via kwlug-disc
> <kwlug-disc at kwlug.org> wrote:
> >
> > What is the vulnerability, exactly? The patch indicates that users can
> > input "dangerous keys". What are dangerous keys? Are these query
> > parameters in the URL? The FAQ is being irritating -- it is telling me
> > this is a VERY BIG PROBLEM, but it is not telling me what the problem
> > is.
> >
> > How busy is this security mailing list?
> >
> > - Paul
> >
> >
> > On Wed, Mar 28, 2018 at 04:24:33PM -0400, Khalid Baheyeldin wrote:
> >> Thanks Paul,
> >>
> >> If anyone has Drupal sites, please update them NOW, before you read
> further.
> >> If you have a Drupal 6 site, there is a patch for it.
> >>
> >> OK, did that?
> >>
> >> Now go read this:
> >>
> >> https://groups.drupal.org/security/faq-2018-002
> >>
> >> Over the next few hours, we will see automated exploits that will own
> sites
> >> that have been not patched. This is a remote exploit that requires no
> >> privileges at all.
> >>
> >> And please subscribe to the security mailing list.
> >>
> >> On Wed, Mar 28, 2018 at 4:14 PM, Paul Nijjar via kwlug-disc <
> >> kwlug-disc at kwlug.org> wrote:
> >>
> >> >
> >> > Khalid forwarded this to Charles and me, but it seems relevant to
> >> > other people as well if you are running Drupal.
> >> >
> >> > - Paul
> >> >
> >> > ----- Forwarded message from Khalid Baheyeldin <kb at 2bits.com> -----
> >> >
> >> > Date: Wed, 28 Mar 2018 15:33:52 -0400
> >> > From: Khalid Baheyeldin <kb at 2bits.com>
> >> > To: Paul Nijjar <paul_nijjar at yahoo.ca>, Charles McColm <
> >> > chaslinux at gmail.com>
> >> > Subject: Fwd: [Security-news] Drupal core - Highly critical - Remote
> Code
> >> > Execution - SA-CORE-2018-002
> >> >
> >> > Guys,
> >> >
> >> > You have Drupal sites, whether personal or otherwise.
> >> >
> >> > Please update your sites now, as automated remote cracking scripts
> will be
> >> > developed within a few hours from now.
> >> >
> >> >
> >> > ---------- Forwarded message ----------
> >> > From: <security-news at drupal.org>
> >> > Date: Wed, Mar 28, 2018 at 3:21 PM
> >> > Subject: [Security-news] Drupal core - Highly critical - Remote Code
> >> > Execution - SA-CORE-2018-002
> >> > To: security-news at drupal.org
> >> >
> >> >
> >> > View online: https://www.drupal.org/sa-core-2018-002
> >> >
> >> > Project: Drupal core [1]
> >> > Date: 2018-March-28
> >> > Security risk: *Highly critical* 21∕25
> >> > AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default [2]
> >> > Vulnerability: Remote Code Execution
> >> >
> >> > Description:
> >> > CVE: CVE-2018-7600
> >> >
> >> > A remote code execution vulnerability exists within multiple
> subsystems of
> >> > Drupal 7.x and 8.x. This potentially allows attackers to exploit
> multiple
> >> > attack vectors on a Drupal site, which could result in the site being
> >> > completely compromised.
> >> >
> >> > The security team has written an FAQ [3] about this issue.
> >> >
> >> > Solution:
> >> > Upgrade to the most recent version of Drupal 7 or 8 core.
> >> >
> >> > * *If you are running 7.x, upgrade to Drupal 7.58 [4].* (If you are
> >> > unable
> >> > to update immediately, you can attempt to apply this patch [5] to
> fix
> >> > the
> >> > vulnerability until such time as you are able to completely
> update.)
> >> > * *If you are running 8.5.x, upgrade to Drupal 8.5.1 [6].* (If you
> are
> >> > unable to update immediately, you can attempt to apply this patch
> [7]
> >> > to
> >> > fix the vulnerability until such time as you are able to
> completely
> >> > update.)
> >> >
> >> > Drupal 8.3.x and 8.4.x are no longer supported and we don't normally
> >> > provide
> >> > security releases for unsupported minor releases [8]. However, given
> the
> >> > potential severity of this issue, we /are/ providing 8.3.x and 8.4.x
> >> > releases
> >> > that includes the fix for sites which have not yet had a chance to
> update
> >> > to
> >> > 8.5.0.
> >> >
> >> > Your site's update report page will recommend the 8.5.x release even
> if you
> >> > are on 8.3.x or 8.4.x. Please take the time to update to a supported
> >> > version
> >> > after installing this security update.
> >> >
> >> > * If you are running 8.3.x, upgrade to Drupal 8.3.9 [9] or apply
> this
> >> > patch
> >> > [10].
> >> > * If you are running 8.4.x, upgrade to Drupal 8.4.6 [11] or apply
> >> > thispatch
> >> > [12].
> >> >
> >> > This issue also affects Drupal 8.2.x and earlier, which are no longer
> >> > supported. If you are running any of these versions of Drupal 8,
> update to
> >> > a
> >> > more recent release and then follow the instructions above.
> >> >
> >> > This issue also affects Drupal 6. Drupal 6 is End of Life. For more
> >> > information on Drupal 6 support please contact a D6LTS vendor [13].
> >> >
> >> > Reported By:
> >> > * Jasper Mattsson [14]
> >> >
> >> > Fixed By:
> >> > * Jasper Mattsson [15]
> >> > * Samuel Mortenson [16] Provisional Drupal Security Team member
> >> > * David Rothstein [17] of the Drupal Security Team
> >> > * Jess (xjm) [18] of the Drupal Security Team
> >> > * Michael Hess [19] of the Drupal Security Team
> >> > * Lee Rowlands [20] of the Drupal Security Team
> >> > * Peter Wolanin [21] of the Drupal Security Team
> >> > * Alex Pott [22] of the Drupal Security Team
> >> > * David Snopek [23] of the Drupal Security Team
> >> > * Pere Orga [24] of the Drupal Security Team
> >> > * Neil Drumm [25] of the Drupal Security Team
> >> > * Cash Williams [26] of the Drupal Security Team
> >> > * Daniel Wehner [27]
> >> > * Tim Plunkett [28]
> >> >
> >> > -------- CONTACT AND MORE INFORMATION
> >> > ----------------------------------------
> >> >
> >> > The Drupal security team can be reached by email at security at
> drupal.org
> >> > or
> >> > via the contact form.
> >> >
> >> > Learn more about the Drupal Security team and their policies, writing
> >> > secure
> >> > code for Drupal, and securing your site.
> >> >
> >> >
> >> > [1] https://www.drupal.org/project/drupal
> >> > [2] https://www.drupal.org/security-team/risk-levels
> >> > [3] https://groups.drupal.org/security/faq-2018-002
> >> > [4] https://www.drupal.org/project/drupal/releases/7.58
> >> > [5]
> >> > https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a
> >> > 83db50e2f97682d9a0fb8a18e2722cba5
> >> > [6] https://www.drupal.org/project/drupal/releases/8.5.1
> >> > [7]
> >> > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> >> > 38fa69df34a0635f0907d661b509ff9a28f
> >> > [8] https://www.drupal.org/core/release-cycle-overview
> >> > [9] https://www.drupal.org/project/drupal/releases/8.3.9
> >> > [10]
> >> > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> >> > 38fa69df34a0635f0907d661b509ff9a28f
> >> > [11] https://www.drupal.org/project/drupal/releases/8.4.6
> >> > [12]
> >> > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> >> > 38fa69df34a0635f0907d661b509ff9a28f
> >> > [13] https://www.drupal.org/project/d6lts
> >> > [14] https://www.drupal.org/u/Jasu_M
> >> > [15] https://www.drupal.org/u/Jasu_M
> >> > [16] https://www.drupal.org/user/2582268
> >> > [17] https://www.drupal.org/user/124982
> >> > [18] https://www.drupal.org/user/65776
> >> > [19] https://www.drupal.org/user/102818
> >> > [20] https://www.drupal.org/u/larowlan
> >> > [21] https://www.drupal.org/user/49851
> >> > [22] https://www.drupal.org/u/alexpott
> >> > [23] https://www.drupal.org/u/dsnopek
> >> > [24] https://www.drupal.org/u/pere-orga
> >> > [25] https://www.drupal.org/u/drumm
> >> > [26] https://www.drupal.org/u/cashwilliams
> >> > [27] https://www.drupal.org/u/dawehner
> >> > [28] https://www.drupal.org/u/tim.plunkett
> >> >
> >> > _______________________________________________
> >> > Security-news mailing list
> >> > Security-news at drupal.org
> >> > Unsubscribe at https://lists.drupal.org/
> mailman/listinfo/security-news
> >> >
> >> >
> >> >
> >> > --
> >> > Khalid M. Baheyeldin
> >> > 2bits.com, Inc.
> >> > Fast Reliable Drupal
> >> > Drupal optimization, development, customization and consulting.
> >> > Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> >> > Simplicity is the ultimate sophistication. -- anonymous
> >> >
> >> > ----- End forwarded message -----
> >> >
> >> > --
> >> > http://pnijjar.freeshell.org
> >> >
> >> > _______________________________________________
> >> > kwlug-disc mailing list
> >> > kwlug-disc at kwlug.org
> >> > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> >> >
> >>
> >>
> >>
> >> --
> >> Khalid M. Baheyeldin
> >> 2bits.com, Inc.
> >> Fast Reliable Drupal
> >> Drupal optimization, development, customization and consulting.
> >> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> >> Simplicity is the ultimate sophistication. -- anonymous
> >
> > --
> > http://pnijjar.freeshell.org
> >
> > _______________________________________________
> > kwlug-disc mailing list
> > kwlug-disc at kwlug.org
> > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
--
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- anonymous
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180328/3c24eca5/attachment.htm>
More information about the kwlug-disc
mailing list