A number of issues exist in the content management system Drupal that could lead to code execution and the theft of database credentials via a man-in-the-middle attack, a researcher warns.
The vulnerabilities lie in the way Drupal processes updates, according to Fernando Arnaboldi, senior security consultant with IOActive. Arnaboldi wrote a blog entry describing three of the issues, including one that has existed in the wild in some shape or form for years, and two which are being disclosed for the first time this week.
The issue that’s lingered the longest Arnaboldi claims is that Drupal’s updates aren’t encrypted when they’re transferred, nor does the CMS verify the authenticity of the updates when they come across.
To exploit the vulnerability an attacker would have to be on the same network and carry out a man-in-the-middle attack, Arnaboldi writes.
The update process involves Drupal downloading a plaintext version of a XML file, but Arnaboldi points out the XML file could point to a backdoored version of Drupal, or a version from an untrusted server. In his proof of concept, the Arnaboldi names an update “7.41 Backdoored,” and it’s downloaded. After the update process is started, and the attacker runs a module, they could theoretically retrieve the Drupal database password and execute code.
As there’s no fix available, Arnaboldi is encouraging those who use the software to manually download updates for it, and its add-ons, to stay safe.
One of the newer issues isn’t exactly a vulnerability, but does seem like something that could wind up giving users a false sense of security. The last two versions of the CMS, including the latest one, released in November, fail to notify users when they encounter a network problem during the update process. Instead of giving a warning message, it simply tells users “All your projects are up to date.”
Users can check for updates however, thanks to a “Check Manually” link, and that’s where the third issue comes into play.
According to Arnaboldi, an attacker could use the same static link in a cross-site request forgery attack, or further leverage the vulnerability on Drupal builds that predate Drupal 8 to carry out a server-side request forgery attack.
“Administrators may unwillingly be forcing their servers to request unlimited amounts of information from updates.drupal.org to consume network bandwidth,” Arnaboldi wrote.
Arnaboldi told Threatpost Wednesday that older sites running Drupal could also fall victim to a denial of service attack through more or less the same means, if the downstream network bandwidth of a website is lower than the upstream network bandwidth of drupal.org.
Arnaboldi acknowledged that IOActive had a private discussion with Drupal’s security team about the issues and eventually agreed to keep a thread discussing the encryption issue public on Drupal.org. That thread’s existed since April 2012 and was reopened after Arnaboldi reached out to Drupal last November.
Officials with Drupal did not respond to inquiries on Wednesday. Arnaboldi claims the company didn’t have any objections to IOActive publishing any of the issues, even the more concerning CSRF vulnerability.
“The CSRF vulnerability was a more sensitive issue, because some of the members of the security team were concerned about the implications for drupal.org in case this were to be exploited in the wild,” Arnaboldi said, “CSRF vulnerabilities are always tricky to be properly solved, but they have already multiple CSRF protections in place for Drupal, so probably this was not a new topic for them.”
The researcher told Threatpost that it doesn’t look like Drupal has any short term plans for fixing the issues, and was surprised some of the issues weren’t addressed previously.
“I originally thought that some of these issues were going to be solved before releasing Drupal 8, but it was not the case,” Arnaboldi said.
Attackers targeting update mechanisms is not out of the ordinary.
Researchers this past summer discovered that the update process for some LG apps fail to verify that the security certificate presented are legitimate, something that opened some devices made by the comapny up to man-in-the-middle attacks.
Last year researchers also with IOActive ferreted out a few vulnerabilities in the way Lenovo handles updates on its PCs. An attacker could bypass signature validation and switch the executable thats downloaded by Lenovo System Update. As a result attackers could create a bogus CA and use it to create a code-signing certificate that could then be used to sign executables.