[kwlug-disc] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Khalid Baheyeldin kb at 2bits.com
Wed Mar 28 17:44:56 EDT 2018


The security mailing list sends announcements only on Wednesdays, and
ranges between nothing to 4 or 5 emails (e.g. modules with vulnerabilities,
which you can ignore if you are not using them).

The FAQ is intentionally vague to make it hard(er) for exploiters.

This vulnerability has to do with sanitization of input, named $_GET,
$_POST, $_COOKIE and $_REQUEST.

Here is the diff between the fixed version and the one before it.

https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f

On Wed, Mar 28, 2018 at 4:41 PM, Paul Nijjar <paul_nijjar at yahoo.ca> wrote:

>
> What is the vulnerability, exactly? The patch indicates that users can
> input "dangerous keys". What are dangerous keys? Are these query
> parameters in the URL? The FAQ is being irritating -- it is telling me
> this is a VERY BIG PROBLEM, but it is not telling me what the problem
> is.
>
> How busy is this security mailing list?
>
> - Paul
>
>
> On Wed, Mar 28, 2018 at 04:24:33PM -0400, Khalid Baheyeldin wrote:
> > Thanks Paul,
> >
> > If anyone has Drupal sites, please update them NOW, before you read
> further.
> > If you have a Drupal 6 site, there is a patch for it.
> >
> > OK, did that?
> >
> > Now go read this:
> >
> > https://groups.drupal.org/security/faq-2018-002
> >
> > Over the next few hours, we will see automated exploits that will own
> sites
> > that have been not patched. This is a remote exploit that requires no
> > privileges at all.
> >
> > And please subscribe to the security mailing list.
> >
> > On Wed, Mar 28, 2018 at 4:14 PM, Paul Nijjar via kwlug-disc <
> > kwlug-disc at kwlug.org> wrote:
> >
> > >
> > > Khalid forwarded this to Charles and me, but it seems relevant to
> > > other people as well if you are running Drupal.
> > >
> > > - Paul
> > >
> > > ----- Forwarded message from Khalid Baheyeldin <kb at 2bits.com> -----
> > >
> > > Date: Wed, 28 Mar 2018 15:33:52 -0400
> > > From: Khalid Baheyeldin <kb at 2bits.com>
> > > To: Paul Nijjar <paul_nijjar at yahoo.ca>, Charles McColm <
> > > chaslinux at gmail.com>
> > > Subject: Fwd: [Security-news] Drupal core - Highly critical - Remote
> Code
> > >         Execution - SA-CORE-2018-002
> > >
> > > Guys,
> > >
> > > You have Drupal sites, whether personal or otherwise.
> > >
> > > Please update your sites now, as automated remote cracking scripts
> will be
> > > developed within a few hours from now.
> > >
> > >
> > > ---------- Forwarded message ----------
> > > From: <security-news at drupal.org>
> > > Date: Wed, Mar 28, 2018 at 3:21 PM
> > > Subject: [Security-news] Drupal core - Highly critical - Remote Code
> > > Execution - SA-CORE-2018-002
> > > To: security-news at drupal.org
> > >
> > >
> > > View online: https://www.drupal.org/sa-core-2018-002
> > >
> > > Project: Drupal core [1]
> > > Date: 2018-March-28
> > > Security risk: *Highly critical* 21∕25
> > > AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default [2]
> > > Vulnerability: Remote Code Execution
> > >
> > > Description:
> > > CVE: CVE-2018-7600
> > >
> > > A remote code execution vulnerability exists within multiple
> subsystems of
> > > Drupal 7.x and 8.x.  This potentially allows attackers to exploit
> multiple
> > > attack vectors on a Drupal site, which could result in the site being
> > > completely compromised.
> > >
> > > The security team has written an  FAQ [3] about this issue.
> > >
> > > Solution:
> > > Upgrade to the most recent version of Drupal 7 or 8 core.
> > >
> > >   * *If you are running 7.x, upgrade to Drupal 7.58 [4].* (If you are
> > > unable
> > >     to update immediately, you can attempt to apply this patch [5] to
> fix
> > > the
> > >     vulnerability until such time as you are able to completely
> update.)
> > >   * *If you are running 8.5.x, upgrade to Drupal 8.5.1 [6].* (If you
> are
> > >     unable to update immediately, you can attempt to apply this patch
> [7]
> > > to
> > >     fix the vulnerability until such time as you are able to completely
> > >     update.)
> > >
> > > Drupal 8.3.x and 8.4.x are no longer supported and we don't normally
> > > provide
> > > security releases for unsupported minor releases [8]. However, given
> the
> > > potential severity of this issue, we /are/ providing 8.3.x and 8.4.x
> > > releases
> > > that includes the fix for sites which have not yet had a chance to
> update
> > > to
> > > 8.5.0.
> > >
> > > Your site's update report page will recommend the 8.5.x release even
> if you
> > > are on 8.3.x or 8.4.x. Please take the time to update to a supported
> > > version
> > > after installing this security update.
> > >
> > >   * If you are running 8.3.x, upgrade to Drupal 8.3.9 [9] or apply this
> > > patch
> > >     [10].
> > >   * If you are running 8.4.x, upgrade to Drupal 8.4.6 [11] or apply
> > > thispatch
> > >     [12].
> > >
> > > This issue also affects Drupal 8.2.x and earlier, which are no longer
> > > supported. If you are running any of these versions of Drupal 8,
> update to
> > > a
> > > more recent release and then follow the instructions above.
> > >
> > > This issue also affects Drupal 6.  Drupal 6 is End of Life. For more
> > > information on Drupal 6 support please contact a D6LTS vendor [13].
> > >
> > > Reported By:
> > >   * Jasper Mattsson [14]
> > >
> > > Fixed By:
> > >   * Jasper Mattsson [15]
> > >   * Samuel Mortenson  [16] Provisional  Drupal Security Team member
> > >   * David Rothstein  [17] of the Drupal Security Team
> > >   * Jess  (xjm) [18] of the Drupal Security Team
> > >   * Michael Hess  [19] of the Drupal Security Team
> > >   * Lee Rowlands  [20] of the Drupal Security Team
> > >   * Peter Wolanin  [21] of the Drupal Security Team
> > >   * Alex Pott  [22] of the Drupal Security Team
> > >   * David Snopek [23] of the Drupal Security Team
> > >   * Pere Orga  [24] of the Drupal Security Team
> > >   * Neil Drumm [25]  of the Drupal Security Team
> > >   * Cash Williams  [26] of the Drupal Security Team
> > >   * Daniel Wehner [27]
> > >   * Tim Plunkett [28]
> > >
> > > -------- CONTACT AND MORE INFORMATION
> > > ----------------------------------------
> > >
> > > The Drupal security team can be reached by email at security at
> drupal.org
> > > or
> > > via the contact form.
> > >
> > > Learn more about the Drupal Security team and their policies, writing
> > > secure
> > > code for Drupal, and securing your site.
> > >
> > >
> > > [1] https://www.drupal.org/project/drupal
> > > [2] https://www.drupal.org/security-team/risk-levels
> > > [3] https://groups.drupal.org/security/faq-2018-002
> > > [4] https://www.drupal.org/project/drupal/releases/7.58
> > > [5]
> > > https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a
> > > 83db50e2f97682d9a0fb8a18e2722cba5
> > > [6] https://www.drupal.org/project/drupal/releases/8.5.1
> > > [7]
> > > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> > > 38fa69df34a0635f0907d661b509ff9a28f
> > > [8] https://www.drupal.org/core/release-cycle-overview
> > > [9] https://www.drupal.org/project/drupal/releases/8.3.9
> > > [10]
> > > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> > > 38fa69df34a0635f0907d661b509ff9a28f
> > > [11] https://www.drupal.org/project/drupal/releases/8.4.6
> > > [12]
> > > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> > > 38fa69df34a0635f0907d661b509ff9a28f
> > > [13] https://www.drupal.org/project/d6lts
> > > [14] https://www.drupal.org/u/Jasu_M
> > > [15] https://www.drupal.org/u/Jasu_M
> > > [16] https://www.drupal.org/user/2582268
> > > [17] https://www.drupal.org/user/124982
> > > [18] https://www.drupal.org/user/65776
> > > [19] https://www.drupal.org/user/102818
> > > [20] https://www.drupal.org/u/larowlan
> > > [21] https://www.drupal.org/user/49851
> > > [22] https://www.drupal.org/u/alexpott
> > > [23] https://www.drupal.org/u/dsnopek
> > > [24] https://www.drupal.org/u/pere-orga
> > > [25] https://www.drupal.org/u/drumm
> > > [26] https://www.drupal.org/u/cashwilliams
> > > [27] https://www.drupal.org/u/dawehner
> > > [28] https://www.drupal.org/u/tim.plunkett
> > >
> > > _______________________________________________
> > > Security-news mailing list
> > > Security-news at drupal.org
> > > Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
> > >
> > >
> > >
> > > --
> > > Khalid M. Baheyeldin
> > > 2bits.com, Inc.
> > > Fast Reliable Drupal
> > > Drupal optimization, development, customization and consulting.
> > > Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> > > Simplicity is the ultimate sophistication. -- anonymous
> > >
> > > ----- End forwarded message -----
> > >
> > > --
> > > http://pnijjar.freeshell.org
> > >
> > > _______________________________________________
> > > kwlug-disc mailing list
> > > kwlug-disc at kwlug.org
> > > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> > >
> >
> >
> >
> > --
> > Khalid M. Baheyeldin
> > 2bits.com, Inc.
> > Fast Reliable Drupal
> > Drupal optimization, development, customization and consulting.
> > Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> > Simplicity is the ultimate sophistication. -- anonymous
>
> --
> http://pnijjar.freeshell.org
>



-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- anonymous
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180328/b60e138a/attachment.htm>


More information about the kwlug-disc mailing list