The developers of the Drupal content management system (CMS) have started patching the update process vulnerabilities disclosed recently by security firm IOActive.
IOActive researcher Fernando Arnaboldi last week reported finding three security issues related to the Drupal update process. The expert discovered that Drupal 7 and 8 erroneously inform users that their installation is up to date if a failure occurs.
Drupal developers have admitted that “this is not ideal and should be corrected,” but they have highlighted that only the “Available updates” page in the admin interface does not correctly warn about failures. The impact of this issue should be limited considering that the Drupal Security Team’s advisories are distributed via multiple channels, including email, RSS, HTML and Twitter.
The second vulnerability identified by Arnaboldi is a cross-site request forgery (CSRF) in the “Check manually” feature that can be exploited to force an administrator to check for updates. The flaw can also be leveraged to use a large amount of resources from Drupal.org via a server-side request forgery (SSRF) attack.
The IOActive researcher also discovered that Drupal security updates are transferred unencrypted and their authenticity is not checked. This flaw, which has been known since 2012, allows a man-in-the-middle (MitM) attacker to intercept the connection and serve a backdoored version of Drupal or a Drupal module. A malicious hacker could exploit this to compromise the targeted website.
Drupal developers have pointed out that while the CSRF vulnerability could pose a serious risk, the weakness is only of value to an attacker that is capable of intercepting traffic or poisoning DNS. As for consuming Drupal.org resources, it would not be easy for an attacker to cause significant damage considering that there are millions of websites making multiple requests each day to Drupal.org. Furthermore, Drupal has pointed out that the update service is cached and placed behind a content delivery network (CDN).
The fact that security updates are downloaded unencrypted can also be exploited only by an attacker with a privileged position on the network or who can perform DNS poisoning, Drupal said.
Drupal is in the process of fixing the CSRF and update status vulnerabilities. As for the unencrypted file transfer issue, the developer says it’s in the process of switching infrastructure and update processes to use secure channels. Download channels not using SSL have been identified and fixes have been rolled out for some of them.
“We have switched the most common download methods to use https by default and are working to add SSL to anonymous downloads via version control (git). The next step is to release an updated Drupal core,” Drupal developers said.
Until all download channels are secured, users can obtain code over SSL by manually downloading release archives from their project pages.
