[kwlug-disc] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Chris Craig kwlug.org at ciotog.net
Wed Mar 28 20:07:07 EDT 2018 

As a software developer that has to maintain a legacy PHP code base, I
stand by my comment.

On 28 March 2018 at 17:39, Khalid Baheyeldin <kb at 2bits.com> wrote:
> Not really.
>
> By the same logic one should stop using AMD and Intel. The CPU
> vulnerabilities are bad, and cannot be patched since they are in the
> silicon.
>
> The issue here is that this was a vulnerability that is theoretical (i.e. it
> was not used by a malicious party before the disclosure) yet remotely
> exploitable.
>
> Now that it is out in the open, exploits will definitely be developed.
>
> This is unavoidable in a full disclosure environment like all open source
> projects do, where anyone can do a diff between 7.57 and 7.58 and infer what
> the vulnerability is, and write exploit code.
>
>
> On Wed, Mar 28, 2018 at 4:49 PM, Chris Craig <kwlug.org at ciotog.net> wrote:
>>
>> Sounds like a reason to stop using drupal...
>>
>> On 28 March 2018 at 16:41, Paul Nijjar via kwlug-disc
>> <kwlug-disc at kwlug.org> wrote:
>> >
>> > What is the vulnerability, exactly? The patch indicates that users can
>> > input "dangerous keys". What are dangerous keys? Are these query
>> > parameters in the URL? The FAQ is being irritating -- it is telling me
>> > this is a VERY BIG PROBLEM, but it is not telling me what the problem
>> > is.
>> >
>> > How busy is this security mailing list?
>> >
>> > - Paul
>> >
>> >
>> > On Wed, Mar 28, 2018 at 04:24:33PM -0400, Khalid Baheyeldin wrote:
>> >> Thanks Paul,
>> >>
>> >> If anyone has Drupal sites, please update them NOW, before you read
>> >> further.
>> >> If you have a Drupal 6 site, there is a patch for it.
>> >>
>> >> OK, did that?
>> >>
>> >> Now go read this:
>> >>
>> >> https://groups.drupal.org/security/faq-2018-002
>> >>
>> >> Over the next few hours, we will see automated exploits that will own
>> >> sites
>> >> that have been not patched. This is a remote exploit that requires no
>> >> privileges at all.
>> >>
>> >> And please subscribe to the security mailing list.
>> >>
>> >> On Wed, Mar 28, 2018 at 4:14 PM, Paul Nijjar via kwlug-disc <
>> >> kwlug-disc at kwlug.org> wrote:
>> >>
>> >> >
>> >> > Khalid forwarded this to Charles and me, but it seems relevant to
>> >> > other people as well if you are running Drupal.
>> >> >
>> >> > - Paul
>> >> >
>> >> > ----- Forwarded message from Khalid Baheyeldin <kb at 2bits.com> -----
>> >> >
>> >> > Date: Wed, 28 Mar 2018 15:33:52 -0400
>> >> > From: Khalid Baheyeldin <kb at 2bits.com>
>> >> > To: Paul Nijjar <paul_nijjar at yahoo.ca>, Charles McColm <
>> >> > chaslinux at gmail.com>
>> >> > Subject: Fwd: [Security-news] Drupal core - Highly critical - Remote
>> >> > Code
>> >> >         Execution - SA-CORE-2018-002
>> >> >
>> >> > Guys,
>> >> >
>> >> > You have Drupal sites, whether personal or otherwise.
>> >> >
>> >> > Please update your sites now, as automated remote cracking scripts
>> >> > will be
>> >> > developed within a few hours from now.
>> >> >
>> >> >
>> >> > ---------- Forwarded message ----------
>> >> > From: <security-news at drupal.org>
>> >> > Date: Wed, Mar 28, 2018 at 3:21 PM
>> >> > Subject: [Security-news] Drupal core - Highly critical - Remote Code
>> >> > Execution - SA-CORE-2018-002
>> >> > To: security-news at drupal.org
>> >> >
>> >> >
>> >> > View online: https://www.drupal.org/sa-core-2018-002
>> >> >
>> >> > Project: Drupal core [1]
>> >> > Date: 2018-March-28
>> >> > Security risk: *Highly critical* 21∕25
>> >> > AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default [2]
>> >> > Vulnerability: Remote Code Execution
>> >> >
>> >> > Description:
>> >> > CVE: CVE-2018-7600
>> >> >
>> >> > A remote code execution vulnerability exists within multiple
>> >> > subsystems of
>> >> > Drupal 7.x and 8.x.  This potentially allows attackers to exploit
>> >> > multiple
>> >> > attack vectors on a Drupal site, which could result in the site being
>> >> > completely compromised.
>> >> >
>> >> > The security team has written an  FAQ [3] about this issue.
>> >> >
>> >> > Solution:
>> >> > Upgrade to the most recent version of Drupal 7 or 8 core.
>> >> >
>> >> >   * *If you are running 7.x, upgrade to Drupal 7.58 [4].* (If you are
>> >> > unable
>> >> >     to update immediately, you can attempt to apply this patch [5] to
>> >> > fix
>> >> > the
>> >> >     vulnerability until such time as you are able to completely
>> >> > update.)
>> >> >   * *If you are running 8.5.x, upgrade to Drupal 8.5.1 [6].* (If you
>> >> > are
>> >> >     unable to update immediately, you can attempt to apply this patch
>> >> > [7]
>> >> > to
>> >> >     fix the vulnerability until such time as you are able to
>> >> > completely
>> >> >     update.)
>> >> >
>> >> > Drupal 8.3.x and 8.4.x are no longer supported and we don't normally
>> >> > provide
>> >> > security releases for unsupported minor releases [8]. However, given
>> >> > the
>> >> > potential severity of this issue, we /are/ providing 8.3.x and 8.4.x
>> >> > releases
>> >> > that includes the fix for sites which have not yet had a chance to
>> >> > update
>> >> > to
>> >> > 8.5.0.
>> >> >
>> >> > Your site's update report page will recommend the 8.5.x release even
>> >> > if you
>> >> > are on 8.3.x or 8.4.x. Please take the time to update to a supported
>> >> > version
>> >> > after installing this security update.
>> >> >
>> >> >   * If you are running 8.3.x, upgrade to Drupal 8.3.9 [9] or apply
>> >> > this
>> >> > patch
>> >> >     [10].
>> >> >   * If you are running 8.4.x, upgrade to Drupal 8.4.6 [11] or apply
>> >> > thispatch
>> >> >     [12].
>> >> >
>> >> > This issue also affects Drupal 8.2.x and earlier, which are no longer
>> >> > supported. If you are running any of these versions of Drupal 8,
>> >> > update to
>> >> > a
>> >> > more recent release and then follow the instructions above.
>> >> >
>> >> > This issue also affects Drupal 6.  Drupal 6 is End of Life. For more
>> >> > information on Drupal 6 support please contact a D6LTS vendor [13].
>> >> >
>> >> > Reported By:
>> >> >   * Jasper Mattsson [14]
>> >> >
>> >> > Fixed By:
>> >> >   * Jasper Mattsson [15]
>> >> >   * Samuel Mortenson  [16] Provisional  Drupal Security Team member
>> >> >   * David Rothstein  [17] of the Drupal Security Team
>> >> >   * Jess  (xjm) [18] of the Drupal Security Team
>> >> >   * Michael Hess  [19] of the Drupal Security Team
>> >> >   * Lee Rowlands  [20] of the Drupal Security Team
>> >> >   * Peter Wolanin  [21] of the Drupal Security Team
>> >> >   * Alex Pott  [22] of the Drupal Security Team
>> >> >   * David Snopek [23] of the Drupal Security Team
>> >> >   * Pere Orga  [24] of the Drupal Security Team
>> >> >   * Neil Drumm [25]  of the Drupal Security Team
>> >> >   * Cash Williams  [26] of the Drupal Security Team
>> >> >   * Daniel Wehner [27]
>> >> >   * Tim Plunkett [28]
>> >> >
>> >> > -------- CONTACT AND MORE INFORMATION
>> >> > ----------------------------------------
>> >> >
>> >> > The Drupal security team can be reached by email at security at
>> >> > drupal.org
>> >> > or
>> >> > via the contact form.
>> >> >
>> >> > Learn more about the Drupal Security team and their policies, writing
>> >> > secure
>> >> > code for Drupal, and securing your site.
>> >> >
>> >> >
>> >> > [1] https://www.drupal.org/project/drupal
>> >> > [2] https://www.drupal.org/security-team/risk-levels
>> >> > [3] https://groups.drupal.org/security/faq-2018-002
>> >> > [4] https://www.drupal.org/project/drupal/releases/7.58
>> >> > [5]
>> >> > https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a
>> >> > 83db50e2f97682d9a0fb8a18e2722cba5
>> >> > [6] https://www.drupal.org/project/drupal/releases/8.5.1
>> >> > [7]
>> >> > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
>> >> > 38fa69df34a0635f0907d661b509ff9a28f
>> >> > [8] https://www.drupal.org/core/release-cycle-overview
>> >> > [9] https://www.drupal.org/project/drupal/releases/8.3.9
>> >> > [10]
>> >> > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
>> >> > 38fa69df34a0635f0907d661b509ff9a28f
>> >> > [11] https://www.drupal.org/project/drupal/releases/8.4.6
>> >> > [12]
>> >> > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
>> >> > 38fa69df34a0635f0907d661b509ff9a28f
>> >> > [13] https://www.drupal.org/project/d6lts
>> >> > [14] https://www.drupal.org/u/Jasu_M
>> >> > [15] https://www.drupal.org/u/Jasu_M
>> >> > [16] https://www.drupal.org/user/2582268
>> >> > [17] https://www.drupal.org/user/124982
>> >> > [18] https://www.drupal.org/user/65776
>> >> > [19] https://www.drupal.org/user/102818
>> >> > [20] https://www.drupal.org/u/larowlan
>> >> > [21] https://www.drupal.org/user/49851
>> >> > [22] https://www.drupal.org/u/alexpott
>> >> > [23] https://www.drupal.org/u/dsnopek
>> >> > [24] https://www.drupal.org/u/pere-orga
>> >> > [25] https://www.drupal.org/u/drumm
>> >> > [26] https://www.drupal.org/u/cashwilliams
>> >> > [27] https://www.drupal.org/u/dawehner
>> >> > [28] https://www.drupal.org/u/tim.plunkett
>> >> >
>> >> > _______________________________________________
>> >> > Security-news mailing list
>> >> > Security-news at drupal.org
>> >> > Unsubscribe at
>> >> > https://lists.drupal.org/mailman/listinfo/security-news
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Khalid M. Baheyeldin
>> >> > 2bits.com, Inc.
>> >> > Fast Reliable Drupal
>> >> > Drupal optimization, development, customization and consulting.
>> >> > Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
>> >> > Simplicity is the ultimate sophistication. -- anonymous
>> >> >
>> >> > ----- End forwarded message -----
>> >> >
>> >> > --
>> >> > http://pnijjar.freeshell.org
>> >> >
>> >> > _______________________________________________
>> >> > kwlug-disc mailing list
>> >> > kwlug-disc at kwlug.org
>> >> > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Khalid M. Baheyeldin
>> >> 2bits.com, Inc.
>> >> Fast Reliable Drupal
>> >> Drupal optimization, development, customization and consulting.
>> >> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
>> >> Simplicity is the ultimate sophistication. -- anonymous
>> >
>> > --
>> > http://pnijjar.freeshell.org
>> >
>> > _______________________________________________
>> > kwlug-disc mailing list
>> > kwlug-disc at kwlug.org
>> > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
>
>
> --
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. -- anonymous
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>

More information about the kwlug-disc mailing list