Unpatched Drupal flaws open websites to attacks

IOActive has uncovered a number of serious vulnerabilities affecting the Drupal CMS that could be exploited to completely takeover the vulnerable websites.

A new vulnerability affecting Drupal could be exploited for code execution and database credentials theft (by Man-in-the-Middle), according to Fernando Arnaboldi, a senior security consultant working in IOActive.

Fernando Arnaboldi says that the vulnerabilities affect the way Drupal processes updates, and it is in a wild since some time. Drupal updates are not encrypted when being transferred, and no authenticity is verified, so that means that anyone in the same network of a potential victim can launch a man-in-the-middle attack.

“To exploit unencrypted updates, an attacker must be suitably positioned to eavesdrop on the victim’s network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection, such as public WiFi, or a corporate or home network that is shared with a compromised computer. ”  states a blog post published according to Fernando.

Drupal update process downloads a plaintext version of a XML file, that can be changed to point to a backdoored version of Drupal, or a version from an untrusted server.

In the tests performed by Fernando, he re-named an update “7.41 Backdoored,” and the download started. When the update process starts the attacker can run a module to retrieve the Drupal database password and execute code.

Waiting for a fix, it is suggested to manually download updates.

Another problem identified by the expert is that the last two versions of the popular CMS doesn’t notify the user when it’s facing a network problem during the update process, telling the user that “All your projects are up to date.”

The third issue is related the “Check Manually” link, since it ca be used in a cross-site request forgery attack.

“Administrators may unwillingly be forcing their servers to request unlimited amounts of information from updates.drupal.org to consume network bandwidth,” said Fernando.

Fernando said to Threatpost that older sites running Drupal can be victims to a denial of service attack ” if the downstream network bandwidth of a website is lower than the upstream network bandwidth of drupal.org.”

The experts at IOActive firm had a private conversation with the Drupal’s security team about the security issues, which admitted the problems and made no objections to disclose them, including the more concerning issue related with CSRF vulnerability.

“The CSRF vulnerability was a more sensitive issue, because some of the members of the security team were concerned about the implications for drupal.org in case this were to be exploited in the wild,”, “CSRF vulnerabilities are always tricky to be properly solved, but they have already multiple CSRF protections in place for Drupal, so probably this was not a new topic for them.”

“I originally thought that some of these issues were going to be solved before releasing Drupal 8, but it was not the case,”

At the time I was writing there are no plans from Drupal in a short term to fix the issues.

About the Author Elsio Pinto

Pierluigi Paganini

(Security Affairs – CMS, hacking)