Overview
On December 18, local time, Drupal officially issued a security advisory to announce multiple vulnerabilities in its core products, including one critical vulnerability and three medium-risk vulnerabilities.
- Serious symlink vulnerability
A vulnerability exists in the third-party library Archive_Tar used by Drupal, which is used to create, extract, and add TAR files. An issue exists in the way Archive_Tar decompresses the files with symbolic links. Once successfully exploiting this issue, an attacker could upload a malicious TAR file to overwrite sensitive files on the target server.
According to Drupal developers, proof-of-concept code is already available for this vulnerability.
- Medium-risk access bypass vulnerability
A security vulnerability exists in Drupal’s default media library module, allowing low-privileged users to access sensitive information.
- Medium-risk security restriction bypass the vulnerability
The file_save_upload () function in Drupal 8 does not remove the leading and trailing (‘.’) from the file name. Users who can upload any file name extension and contribution module can use it to overwrite any system file, such as .htaccess, to bypass security protection.
- Medium-risk denial-of-service vulnerability
The install.php file used by Drupal 8 contains a vulnerability that could be exploited by a remote unauthenticated attacker to corrupt the website’s cached data to ultimately cause a denial of service.
References:
https://www.drupal.org/sa-core-2019-012
https://www.drupal.org/sa-core-2019-011
https://www.drupal.org/sa-core-2019-010
https://www.drupal.org/sa-core-2019-009
Affected products and repairs
Vulnerability | Affected Version | Fixed Version |
Critical symlink vulnerability | Drupal 7.x < 7.69
Drupal 8.7.x< 8.7.11 Drupal 8.8.x< 8.8.1 |
Drupal 7.69
Drupal 8.7.11 Drupal 8.8.1 |
Medium-risk access bypass vulnerability
Medium-risk security restriction bypass vulnerability Medium-risk denial-of-service vulnerability |
Drupal 8.7.x< 8.7.11
Drupal 8.8.x< 8.8.1 |
Drupal 8.7.11
Drupal 8.8.1 |
Security Recommendations
Drupal Association has provided the latest versions for affected products to fix the vulnerabilities. Affected users are advised to visit the official website to download the update as soon as possible to prevent risks.
In addition, mitigation measures are provided for some vulnerabilities:
- Medium-risk access bypass vulnerability
This vulnerability can be fixed by unchecking the “Enable advanced UI” checkbox on /admin/config/media/media-library (This mitigation is not applicable to 8.7.x).
- Medium-risk denial-of-service vulnerability
Deny the access to install.php if the access is not required.
Reference:
Drupal 7.69 download:
https://www.drupal.org/project/drupal/releases/7.69
Drupal 8.7.11 download:
https://www.drupal.org/project/drupal/releases/8.7.11
Drupal 8.8.1 download:
https://www.drupal.org/project/drupal/releases/8.8.1
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.