Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Drupal Starts Patching Update Process Flaws

The developers of the Drupal content management system (CMS) have started patching the update process vulnerabilities disclosed recently by security firm IOActive.

The developers of the Drupal content management system (CMS) have started patching the update process vulnerabilities disclosed recently by security firm IOActive.

IOActive researcher Fernando Arnaboldi last week reported finding three security issues related to the Drupal update process. The expert discovered that Drupal 7 and 8 erroneously inform users that their installation is up to date if a failure occurs.

Drupal developers have admitted that “this is not ideal and should be corrected,” but they have highlighted that only the “Available updates” page in the admin interface does not correctly warn about failures. The impact of this issue should be limited considering that the Drupal Security Team’s advisories are distributed via multiple channels, including email, RSS, HTML and Twitter.

The second vulnerability identified by Arnaboldi is a cross-site request forgery (CSRF) in the “Check manually” feature that can be exploited to force an administrator to check for updates. The flaw can also be leveraged to use a large amount of resources from Drupal.org via a server-side request forgery (SSRF) attack.

The IOActive researcher also discovered that Drupal security updates are transferred unencrypted and their authenticity is not checked. This flaw, which has been known since 2012, allows a man-in-the-middle (MitM) attacker to intercept the connection and serve a backdoored version of Drupal or a Drupal module. A malicious hacker could exploit this to compromise the targeted website.

Drupal developers have pointed out that while the CSRF vulnerability could pose a serious risk, the weakness is only of value to an attacker that is capable of intercepting traffic or poisoning DNS. As for consuming Drupal.org resources, it would not be easy for an attacker to cause significant damage considering that there are millions of websites making multiple requests each day to Drupal.org. Furthermore, Drupal has pointed out that the update service is cached and placed behind a content delivery network (CDN).

The fact that security updates are downloaded unencrypted can also be exploited only by an attacker with a privileged position on the network or who can perform DNS poisoning, Drupal said.

Drupal is in the process of fixing the CSRF and update status vulnerabilities. As for the unencrypted file transfer issue, the developer says it’s in the process of switching infrastructure and update processes to use secure channels. Download channels not using SSL have been identified and fixes have been rolled out for some of them.

Advertisement. Scroll to continue reading.

“We have switched the most common download methods to use https by default and are working to add SSL to anonymous downloads via version control (git). The next step is to release an updated Drupal core,” Drupal developers said.

Until all download channels are secured, users can obtain code over SSL by manually downloading release archives from their project pages.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.