The developers of the Drupal content management system (CMS) released out-of-band security updates right before Thanksgiving due to the availability of exploits.
The core updates released for Drupal 7, 8.8, 8.9 and 9.0 on November 25 address a couple of vulnerabilities affecting PEAR Archive_Tar, a third-party library designed for handling .tar files in PHP.
The developers of the library released an update recently to address two vulnerabilities, tracked as CVE-2020-28948 and CVE-2020-28949, that can be exploited to bypass Phar unresialization protections.
Exploitation involves manipulating file names and it can allow an attacker to execute arbitrary PHP code or overwrite files, including important files such as /etc/passwd and /etc/shadow.
The researcher who reported the vulnerabilities to PEAR developers also made public proof-of-concept (PoC) exploits so Drupal decided to roll out the patches to its users as soon as possible.
“According to the regular security release window schedule, November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable,” Drupal noted in its advisory.
Drupal developers pointed out that exploitation is possible if the CMS is configured to allow uploading .tar, .tar.gz, .bz2 or .tlz files. Similar vulnerabilities related to the same PEAR library were patched one year ago, but Drupal noted that they are not related, although the same types of configuration changes can mitigate the issue. The recommended mitigation involves preventing untrusted users from uploading files with the aforementioned extensions.
The latest updates have been assigned a “critical” severity rating, but it’s worth mentioning that Drupal uses the NIST Common Misuse Scoring System, which assigns vulnerabilities a score ranging between 0 and 25, with “critical” being only the second highest rating, after “highly critical.”
This is the sixth security update released this year for Drupal. The fifth was released earlier this month to patch a remote code execution vulnerability related to failure to properly sanitize the names of uploaded files.
Related: XSS, Open Redirect Vulnerabilities Patched in Drupal
Related: Drupal Patches Code Execution Flaw Most Likely to Impact Windows Servers
Related: Critical Drupal Vulnerability Allows Remote Code Execution
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
Latest News
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
