[kwlug-disc] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Bob Jonkman bjonkman at sobac.com
Wed Mar 28 22:51:00 EDT 2018 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Khalid wrote:
> The FAQ is intentionally vague to make it hard(er) for exploiters.

Not meaning to pile on Khalid, but that hardly seems like "full
disclosure" to me.

A commercial software vendor whose software I SysAdminned released a
patch with the same sort of urgent vagueness: "Really important!"
What is it? "Ain't saying!"

Their software was fragile, to put it nicely. Used for a
mission-critical application, and needed to go through at least some
in-house testing before being allowed in production. But we didn't
know what the problem was, which modules were affected, the financial
risk of not patching, vs. the cost of downtime for patching (and the
additional cost of the patch breaking things, resulting in more
downtime). After chewing out our software rep (to no avail) we ended
up patching, spending a weekend updating some 25 servers (by hand,
those servers were all snowflakes) and trying to keep the databases in
sync.

A few years later I was working somewhere else with someone who said
"Oh yeah, I discovered that vulnerability! It was (blah, blah blah)."
Of course, the flaw existed in none of the servers we had patched,
since we didn't run the affected modules. So, lots of cost and
downtime, for no good purpose. And no way to hold that software vendor
accountable for lost time and money.

- --Bob, who much prefers *real* full disclosure.


On 2018-03-28 05:44 PM, Khalid Baheyeldin wrote:
> The security mailing list sends announcements only on Wednesdays,
> and ranges between nothing to 4 or 5 emails (e.g. modules with
> vulnerabilities, which you can ignore if you are not using them).
> 
> The FAQ is intentionally vague to make it hard(er) for exploiters.
> 
> This vulnerability has to do with sanitization of input, named
> $_GET, $_POST, $_COOKIE and $_REQUEST.
> 
> Here is the diff between the fixed version and the one before it.
> 
> https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f
>
>  On Wed, Mar 28, 2018 at 4:41 PM, Paul Nijjar
> <paul_nijjar at yahoo.ca> wrote:
> 
>> 
>> What is the vulnerability, exactly? The patch indicates that
>> users can input "dangerous keys". What are dangerous keys? Are
>> these query parameters in the URL? The FAQ is being irritating --
>> it is telling me this is a VERY BIG PROBLEM, but it is not
>> telling me what the problem is.
>> 
>> How busy is this security mailing list?
>> 
>> - Paul
>> 
>> 
>> On Wed, Mar 28, 2018 at 04:24:33PM -0400, Khalid Baheyeldin
>> wrote:
>>> Thanks Paul,
>>> 
>>> If anyone has Drupal sites, please update them NOW, before you
>>> read
>> further.
>>> If you have a Drupal 6 site, there is a patch for it.
>>> 
>>> OK, did that?
>>> 
>>> Now go read this:
>>> 
>>> https://groups.drupal.org/security/faq-2018-002
>>> 
>>> Over the next few hours, we will see automated exploits that
>>> will own
>> sites
>>> that have been not patched. This is a remote exploit that
>>> requires no privileges at all.
>>> 
>>> And please subscribe to the security mailing list.
>>> 
>>> On Wed, Mar 28, 2018 at 4:14 PM, Paul Nijjar via kwlug-disc < 
>>> kwlug-disc at kwlug.org> wrote:
>>> 
>>>> 
>>>> Khalid forwarded this to Charles and me, but it seems
>>>> relevant to other people as well if you are running Drupal.
>>>> 
>>>> - Paul
>>>> 
>>>> ----- Forwarded message from Khalid Baheyeldin <kb at 2bits.com>
>>>> -----
>>>> 
>>>> Date: Wed, 28 Mar 2018 15:33:52 -0400 From: Khalid Baheyeldin
>>>> <kb at 2bits.com> To: Paul Nijjar <paul_nijjar at yahoo.ca>,
>>>> Charles McColm < chaslinux at gmail.com> Subject: Fwd:
>>>> [Security-news] Drupal core - Highly critical - Remote
>> Code
>>>> Execution - SA-CORE-2018-002
>>>> 
>>>> Guys,
>>>> 
>>>> You have Drupal sites, whether personal or otherwise.
>>>> 
>>>> Please update your sites now, as automated remote cracking
>>>> scripts
>> will be
>>>> developed within a few hours from now.
>>>> 
>>>> 
>>>> ---------- Forwarded message ---------- From:
>>>> <security-news at drupal.org> Date: Wed, Mar 28, 2018 at 3:21
>>>> PM Subject: [Security-news] Drupal core - Highly critical -
>>>> Remote Code Execution - SA-CORE-2018-002 To:
>>>> security-news at drupal.org
>>>> 
>>>> 
>>>> View online: https://www.drupal.org/sa-core-2018-002
>>>> 
>>>> Project: Drupal core [1] Date: 2018-March-28 Security risk:
>>>> *Highly critical* 21∕25 
>>>> AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default [2] 
>>>> Vulnerability: Remote Code Execution
>>>> 
>>>> Description: CVE: CVE-2018-7600
>>>> 
>>>> A remote code execution vulnerability exists within multiple
>> subsystems of
>>>> Drupal 7.x and 8.x.  This potentially allows attackers to
>>>> exploit
>> multiple
>>>> attack vectors on a Drupal site, which could result in the
>>>> site being completely compromised.
>>>> 
>>>> The security team has written an  FAQ [3] about this issue.
>>>> 
>>>> Solution: Upgrade to the most recent version of Drupal 7 or 8
>>>> core.
>>>> 
>>>> * *If you are running 7.x, upgrade to Drupal 7.58 [4].* (If
>>>> you are unable to update immediately, you can attempt to
>>>> apply this patch [5] to
>> fix
>>>> the vulnerability until such time as you are able to
>>>> completely
>> update.)
>>>> * *If you are running 8.5.x, upgrade to Drupal 8.5.1 [6].*
>>>> (If you
>> are
>>>> unable to update immediately, you can attempt to apply this
>>>> patch
>> [7]
>>>> to fix the vulnerability until such time as you are able to
>>>> completely update.)
>>>> 
>>>> Drupal 8.3.x and 8.4.x are no longer supported and we don't
>>>> normally provide security releases for unsupported minor
>>>> releases [8]. However, given
>> the
>>>> potential severity of this issue, we /are/ providing 8.3.x
>>>> and 8.4.x releases that includes the fix for sites which have
>>>> not yet had a chance to
>> update
>>>> to 8.5.0.
>>>> 
>>>> Your site's update report page will recommend the 8.5.x
>>>> release even
>> if you
>>>> are on 8.3.x or 8.4.x. Please take the time to update to a
>>>> supported version after installing this security update.
>>>> 
>>>> * If you are running 8.3.x, upgrade to Drupal 8.3.9 [9] or
>>>> apply this patch [10]. * If you are running 8.4.x, upgrade to
>>>> Drupal 8.4.6 [11] or apply thispatch [12].
>>>> 
>>>> This issue also affects Drupal 8.2.x and earlier, which are
>>>> no longer supported. If you are running any of these versions
>>>> of Drupal 8,
>> update to
>>>> a more recent release and then follow the instructions
>>>> above.
>>>> 
>>>> This issue also affects Drupal 6.  Drupal 6 is End of Life.
>>>> For more information on Drupal 6 support please contact a
>>>> D6LTS vendor [13].
>>>> 
>>>> Reported By: * Jasper Mattsson [14]
>>>> 
>>>> Fixed By: * Jasper Mattsson [15] * Samuel Mortenson  [16]
>>>> Provisional  Drupal Security Team member * David Rothstein
>>>> [17] of the Drupal Security Team * Jess  (xjm) [18] of the
>>>> Drupal Security Team * Michael Hess  [19] of the Drupal
>>>> Security Team * Lee Rowlands  [20] of the Drupal Security
>>>> Team * Peter Wolanin  [21] of the Drupal Security Team * Alex
>>>> Pott  [22] of the Drupal Security Team * David Snopek [23] of
>>>> the Drupal Security Team * Pere Orga  [24] of the Drupal
>>>> Security Team * Neil Drumm [25]  of the Drupal Security Team 
>>>> * Cash Williams  [26] of the Drupal Security Team * Daniel
>>>> Wehner [27] * Tim Plunkett [28]
>>>> 
>>>> -------- CONTACT AND MORE INFORMATION 
>>>> ----------------------------------------
>>>> 
>>>> The Drupal security team can be reached by email at security
>>>> at
>> drupal.org
>>>> or via the contact form.
>>>> 
>>>> Learn more about the Drupal Security team and their policies,
>>>> writing secure code for Drupal, and securing your site.
>>>> 
>>>> 
>>>> [1] https://www.drupal.org/project/drupal [2]
>>>> https://www.drupal.org/security-team/risk-levels [3]
>>>> https://groups.drupal.org/security/faq-2018-002 [4]
>>>> https://www.drupal.org/project/drupal/releases/7.58 [5] 
>>>> https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a 
>>>> 83db50e2f97682d9a0fb8a18e2722cba5 [6]
>>>> https://www.drupal.org/project/drupal/releases/8.5.1 [7] 
>>>> https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87 
>>>> 38fa69df34a0635f0907d661b509ff9a28f [8]
>>>> https://www.drupal.org/core/release-cycle-overview [9]
>>>> https://www.drupal.org/project/drupal/releases/8.3.9 [10] 
>>>> https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87 
>>>> 38fa69df34a0635f0907d661b509ff9a28f [11]
>>>> https://www.drupal.org/project/drupal/releases/8.4.6 [12] 
>>>> https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87 
>>>> 38fa69df34a0635f0907d661b509ff9a28f [13]
>>>> https://www.drupal.org/project/d6lts [14]
>>>> https://www.drupal.org/u/Jasu_M [15]
>>>> https://www.drupal.org/u/Jasu_M [16]
>>>> https://www.drupal.org/user/2582268 [17]
>>>> https://www.drupal.org/user/124982 [18]
>>>> https://www.drupal.org/user/65776 [19]
>>>> https://www.drupal.org/user/102818 [20]
>>>> https://www.drupal.org/u/larowlan [21]
>>>> https://www.drupal.org/user/49851 [22]
>>>> https://www.drupal.org/u/alexpott [23]
>>>> https://www.drupal.org/u/dsnopek [24]
>>>> https://www.drupal.org/u/pere-orga [25]
>>>> https://www.drupal.org/u/drumm [26]
>>>> https://www.drupal.org/u/cashwilliams [27]
>>>> https://www.drupal.org/u/dawehner [28]
>>>> https://www.drupal.org/u/tim.plunkett
>>>> 
>>>> _______________________________________________ Security-news
>>>> mailing list Security-news at drupal.org Unsubscribe at
>>>> https://lists.drupal.org/mailman/listinfo/security-news
>>>> 
>>>> 
>>>> 
>>>> -- Khalid M. Baheyeldin 2bits.com, Inc. Fast Reliable Drupal 
>>>> Drupal optimization, development, customization and
>>>> consulting. Simplicity is prerequisite for reliability. --
>>>> Edsger W.Dijkstra Simplicity is the ultimate sophistication.
>>>> -- anonymous
>>>> 
>>>> ----- End forwarded message -----
>>>> 
>>>> -- http://pnijjar.freeshell.org
>>>> 
>>>> _______________________________________________ kwlug-disc
>>>> mailing list kwlug-disc at kwlug.org 
>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>> 
>>> 
>>> 
>>> 
>>> -- Khalid M. Baheyeldin 2bits.com, Inc. Fast Reliable Drupal 
>>> Drupal optimization, development, customization and
>>> consulting. Simplicity is prerequisite for reliability. --
>>> Edsger W.Dijkstra Simplicity is the ultimate sophistication. --
>>> anonymous
>> 
>> -- http://pnijjar.freeshell.org
>> 
> 
> 
> 
> 
> 
> _______________________________________________ kwlug-disc mailing
> list kwlug-disc at kwlug.org 
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 

- -- 
Bob Jonkman <bjonkman at sobac.com>          Phone: +1-519-635-9413
SOBAC Microcomputer Services             http://sobac.com/sobac/
Software   ---   Office & Business Automation   ---   Consulting
GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Ensure confidentiality, authenticity, non-repudiability

iEYEARECAAYFAlq8VI0ACgkQuRKJsNLM5eqy6wCgitPu5s1A/Zkk+Id0vdcs29E+
XWUAoL3aJWLqreLJg7FestB+jtoJpn38
=9cAw
-----END PGP SIGNATURE-----

More information about the kwlug-disc mailing list