[kwlug-disc] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Khalid Baheyeldin kb at 2bits.com
Wed Mar 28 20:38:34 EDT 2018


Your application, if written inhouse, is different.

It's source is not in public revision control repositories where a
malicious person can scan it for vulnerability.

Yes, security by obscurity is not security. But that only applies if
obscurity is your one and ONLY defense line.

Tell me how this Drupal vulnerability is different from any open source
project that had issues discovered and patched in public?

Here are examples:

vBulletin: a popular forum application
https://thehackernews.com/2017/12/vbulletin-forum-hacking.html

WordPress (far more popular than Drupal)
https://its.ny.gov/security-advisory/multiple-vulnerabilities-wordpress-content-management-system-could-allow-arbitrary

Apache Commons Java library
https://www.pcworld.com/article/3004633/business-security/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html

Even the bash shell
http://seclists.org/oss-sec/2014/q3/650

And it is not only open source, it is proprietary products too
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

Such vulnerabilities cannot be totally prevented. The right solution is to
apply security fixes in a timely matter, and be always in sync with your
upstream (e.g. if you installed the thing from your distro's repositories,
they will push a fix. If you installed it directly from the project's
repositories [as often Drupal is installed], then subscribe to their
security update channel).



On Wed, Mar 28, 2018 at 8:07 PM, Chris Craig <kwlug.org at ciotog.net> wrote:

> As a software developer that has to maintain a legacy PHP code base, I
> stand by my comment.
>
> On 28 March 2018 at 17:39, Khalid Baheyeldin <kb at 2bits.com> wrote:
> > Not really.
> >
> > By the same logic one should stop using AMD and Intel. The CPU
> > vulnerabilities are bad, and cannot be patched since they are in the
> > silicon.
> >
> > The issue here is that this was a vulnerability that is theoretical
> (i.e. it
> > was not used by a malicious party before the disclosure) yet remotely
> > exploitable.
> >
> > Now that it is out in the open, exploits will definitely be developed.
> >
> > This is unavoidable in a full disclosure environment like all open source
> > projects do, where anyone can do a diff between 7.57 and 7.58 and infer
> what
> > the vulnerability is, and write exploit code.
> >
> >
> > On Wed, Mar 28, 2018 at 4:49 PM, Chris Craig <kwlug.org at ciotog.net>
> wrote:
> >>
> >> Sounds like a reason to stop using drupal...
> >>
> >> On 28 March 2018 at 16:41, Paul Nijjar via kwlug-disc
> >> <kwlug-disc at kwlug.org> wrote:
> >> >
> >> > What is the vulnerability, exactly? The patch indicates that users can
> >> > input "dangerous keys". What are dangerous keys? Are these query
> >> > parameters in the URL? The FAQ is being irritating -- it is telling me
> >> > this is a VERY BIG PROBLEM, but it is not telling me what the problem
> >> > is.
> >> >
> >> > How busy is this security mailing list?
> >> >
> >> > - Paul
> >> >
> >> >
> >> > On Wed, Mar 28, 2018 at 04:24:33PM -0400, Khalid Baheyeldin wrote:
> >> >> Thanks Paul,
> >> >>
> >> >> If anyone has Drupal sites, please update them NOW, before you read
> >> >> further.
> >> >> If you have a Drupal 6 site, there is a patch for it.
> >> >>
> >> >> OK, did that?
> >> >>
> >> >> Now go read this:
> >> >>
> >> >> https://groups.drupal.org/security/faq-2018-002
> >> >>
> >> >> Over the next few hours, we will see automated exploits that will own
> >> >> sites
> >> >> that have been not patched. This is a remote exploit that requires no
> >> >> privileges at all.
> >> >>
> >> >> And please subscribe to the security mailing list.
> >> >>
> >> >> On Wed, Mar 28, 2018 at 4:14 PM, Paul Nijjar via kwlug-disc <
> >> >> kwlug-disc at kwlug.org> wrote:
> >> >>
> >> >> >
> >> >> > Khalid forwarded this to Charles and me, but it seems relevant to
> >> >> > other people as well if you are running Drupal.
> >> >> >
> >> >> > - Paul
> >> >> >
> >> >> > ----- Forwarded message from Khalid Baheyeldin <kb at 2bits.com>
> -----
> >> >> >
> >> >> > Date: Wed, 28 Mar 2018 15:33:52 -0400
> >> >> > From: Khalid Baheyeldin <kb at 2bits.com>
> >> >> > To: Paul Nijjar <paul_nijjar at yahoo.ca>, Charles McColm <
> >> >> > chaslinux at gmail.com>
> >> >> > Subject: Fwd: [Security-news] Drupal core - Highly critical -
> Remote
> >> >> > Code
> >> >> >         Execution - SA-CORE-2018-002
> >> >> >
> >> >> > Guys,
> >> >> >
> >> >> > You have Drupal sites, whether personal or otherwise.
> >> >> >
> >> >> > Please update your sites now, as automated remote cracking scripts
> >> >> > will be
> >> >> > developed within a few hours from now.
> >> >> >
> >> >> >
> >> >> > ---------- Forwarded message ----------
> >> >> > From: <security-news at drupal.org>
> >> >> > Date: Wed, Mar 28, 2018 at 3:21 PM
> >> >> > Subject: [Security-news] Drupal core - Highly critical - Remote
> Code
> >> >> > Execution - SA-CORE-2018-002
> >> >> > To: security-news at drupal.org
> >> >> >
> >> >> >
> >> >> > View online: https://www.drupal.org/sa-core-2018-002
> >> >> >
> >> >> > Project: Drupal core [1]
> >> >> > Date: 2018-March-28
> >> >> > Security risk: *Highly critical* 21∕25
> >> >> > AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default [2]
> >> >> > Vulnerability: Remote Code Execution
> >> >> >
> >> >> > Description:
> >> >> > CVE: CVE-2018-7600
> >> >> >
> >> >> > A remote code execution vulnerability exists within multiple
> >> >> > subsystems of
> >> >> > Drupal 7.x and 8.x.  This potentially allows attackers to exploit
> >> >> > multiple
> >> >> > attack vectors on a Drupal site, which could result in the site
> being
> >> >> > completely compromised.
> >> >> >
> >> >> > The security team has written an  FAQ [3] about this issue.
> >> >> >
> >> >> > Solution:
> >> >> > Upgrade to the most recent version of Drupal 7 or 8 core.
> >> >> >
> >> >> >   * *If you are running 7.x, upgrade to Drupal 7.58 [4].* (If you
> are
> >> >> > unable
> >> >> >     to update immediately, you can attempt to apply this patch [5]
> to
> >> >> > fix
> >> >> > the
> >> >> >     vulnerability until such time as you are able to completely
> >> >> > update.)
> >> >> >   * *If you are running 8.5.x, upgrade to Drupal 8.5.1 [6].* (If
> you
> >> >> > are
> >> >> >     unable to update immediately, you can attempt to apply this
> patch
> >> >> > [7]
> >> >> > to
> >> >> >     fix the vulnerability until such time as you are able to
> >> >> > completely
> >> >> >     update.)
> >> >> >
> >> >> > Drupal 8.3.x and 8.4.x are no longer supported and we don't
> normally
> >> >> > provide
> >> >> > security releases for unsupported minor releases [8]. However,
> given
> >> >> > the
> >> >> > potential severity of this issue, we /are/ providing 8.3.x and
> 8.4.x
> >> >> > releases
> >> >> > that includes the fix for sites which have not yet had a chance to
> >> >> > update
> >> >> > to
> >> >> > 8.5.0.
> >> >> >
> >> >> > Your site's update report page will recommend the 8.5.x release
> even
> >> >> > if you
> >> >> > are on 8.3.x or 8.4.x. Please take the time to update to a
> supported
> >> >> > version
> >> >> > after installing this security update.
> >> >> >
> >> >> >   * If you are running 8.3.x, upgrade to Drupal 8.3.9 [9] or apply
> >> >> > this
> >> >> > patch
> >> >> >     [10].
> >> >> >   * If you are running 8.4.x, upgrade to Drupal 8.4.6 [11] or apply
> >> >> > thispatch
> >> >> >     [12].
> >> >> >
> >> >> > This issue also affects Drupal 8.2.x and earlier, which are no
> longer
> >> >> > supported. If you are running any of these versions of Drupal 8,
> >> >> > update to
> >> >> > a
> >> >> > more recent release and then follow the instructions above.
> >> >> >
> >> >> > This issue also affects Drupal 6.  Drupal 6 is End of Life. For
> more
> >> >> > information on Drupal 6 support please contact a D6LTS vendor [13].
> >> >> >
> >> >> > Reported By:
> >> >> >   * Jasper Mattsson [14]
> >> >> >
> >> >> > Fixed By:
> >> >> >   * Jasper Mattsson [15]
> >> >> >   * Samuel Mortenson  [16] Provisional  Drupal Security Team member
> >> >> >   * David Rothstein  [17] of the Drupal Security Team
> >> >> >   * Jess  (xjm) [18] of the Drupal Security Team
> >> >> >   * Michael Hess  [19] of the Drupal Security Team
> >> >> >   * Lee Rowlands  [20] of the Drupal Security Team
> >> >> >   * Peter Wolanin  [21] of the Drupal Security Team
> >> >> >   * Alex Pott  [22] of the Drupal Security Team
> >> >> >   * David Snopek [23] of the Drupal Security Team
> >> >> >   * Pere Orga  [24] of the Drupal Security Team
> >> >> >   * Neil Drumm [25]  of the Drupal Security Team
> >> >> >   * Cash Williams  [26] of the Drupal Security Team
> >> >> >   * Daniel Wehner [27]
> >> >> >   * Tim Plunkett [28]
> >> >> >
> >> >> > -------- CONTACT AND MORE INFORMATION
> >> >> > ----------------------------------------
> >> >> >
> >> >> > The Drupal security team can be reached by email at security at
> >> >> > drupal.org
> >> >> > or
> >> >> > via the contact form.
> >> >> >
> >> >> > Learn more about the Drupal Security team and their policies,
> writing
> >> >> > secure
> >> >> > code for Drupal, and securing your site.
> >> >> >
> >> >> >
> >> >> > [1] https://www.drupal.org/project/drupal
> >> >> > [2] https://www.drupal.org/security-team/risk-levels
> >> >> > [3] https://groups.drupal.org/security/faq-2018-002
> >> >> > [4] https://www.drupal.org/project/drupal/releases/7.58
> >> >> > [5]
> >> >> > https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a
> >> >> > 83db50e2f97682d9a0fb8a18e2722cba5
> >> >> > [6] https://www.drupal.org/project/drupal/releases/8.5.1
> >> >> > [7]
> >> >> > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> >> >> > 38fa69df34a0635f0907d661b509ff9a28f
> >> >> > [8] https://www.drupal.org/core/release-cycle-overview
> >> >> > [9] https://www.drupal.org/project/drupal/releases/8.3.9
> >> >> > [10]
> >> >> > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> >> >> > 38fa69df34a0635f0907d661b509ff9a28f
> >> >> > [11] https://www.drupal.org/project/drupal/releases/8.4.6
> >> >> > [12]
> >> >> > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> >> >> > 38fa69df34a0635f0907d661b509ff9a28f
> >> >> > [13] https://www.drupal.org/project/d6lts
> >> >> > [14] https://www.drupal.org/u/Jasu_M
> >> >> > [15] https://www.drupal.org/u/Jasu_M
> >> >> > [16] https://www.drupal.org/user/2582268
> >> >> > [17] https://www.drupal.org/user/124982
> >> >> > [18] https://www.drupal.org/user/65776
> >> >> > [19] https://www.drupal.org/user/102818
> >> >> > [20] https://www.drupal.org/u/larowlan
> >> >> > [21] https://www.drupal.org/user/49851
> >> >> > [22] https://www.drupal.org/u/alexpott
> >> >> > [23] https://www.drupal.org/u/dsnopek
> >> >> > [24] https://www.drupal.org/u/pere-orga
> >> >> > [25] https://www.drupal.org/u/drumm
> >> >> > [26] https://www.drupal.org/u/cashwilliams
> >> >> > [27] https://www.drupal.org/u/dawehner
> >> >> > [28] https://www.drupal.org/u/tim.plunkett
> >> >> >
> >> >> > _______________________________________________
> >> >> > Security-news mailing list
> >> >> > Security-news at drupal.org
> >> >> > Unsubscribe at
> >> >> > https://lists.drupal.org/mailman/listinfo/security-news
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Khalid M. Baheyeldin
> >> >> > 2bits.com, Inc.
> >> >> > Fast Reliable Drupal
> >> >> > Drupal optimization, development, customization and consulting.
> >> >> > Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> >> >> > Simplicity is the ultimate sophistication. -- anonymous
> >> >> >
> >> >> > ----- End forwarded message -----
> >> >> >
> >> >> > --
> >> >> > http://pnijjar.freeshell.org
> >> >> >
> >> >> > _______________________________________________
> >> >> > kwlug-disc mailing list
> >> >> > kwlug-disc at kwlug.org
> >> >> > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Khalid M. Baheyeldin
> >> >> 2bits.com, Inc.
> >> >> Fast Reliable Drupal
> >> >> Drupal optimization, development, customization and consulting.
> >> >> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> >> >> Simplicity is the ultimate sophistication. -- anonymous
> >> >
> >> > --
> >> > http://pnijjar.freeshell.org
> >> >
> >> > _______________________________________________
> >> > kwlug-disc mailing list
> >> > kwlug-disc at kwlug.org
> >> > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> >
> >
> >
> >
> > --
> > Khalid M. Baheyeldin
> > 2bits.com, Inc.
> > Fast Reliable Drupal
> > Drupal optimization, development, customization and consulting.
> > Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> > Simplicity is the ultimate sophistication. -- anonymous
> >
> >
> > _______________________________________________
> > kwlug-disc mailing list
> > kwlug-disc at kwlug.org
> > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> >
>



-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- anonymous
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180328/408a9041/attachment.htm>


More information about the kwlug-disc mailing list