April 2018 - Security-news - lists.drupal.org

DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022
by security-news＠drupal.org 25 Apr '18

25 Apr '18

View online: https://www.drupal.org/sa-contrib-2018-022 Project: DRD Agent [1] Date: 2018-April-25 Security risk: *Critical* 15∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: PHP object injection Description: This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard. The modules (DRD and DRD Agent) encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize functions instead of the json_encode/json_decode combination. As the unserialize function is called on unauthenticated content, this introduces a PHP object injection vulnerability. Solution: Install the latest version: * If you use the DRD module for Drupal 8.x, upgrade to DRD 8.x-3.14 [3] * If you use the DRD Agent module for Drupal 8.x, upgrade to DRD Agent 8.x-3.7 [4] * If you use the DRD Agent module for Drupal 7.x, upgrade to DRD Agent 7.x-3.5 [5] Reported By: * David Snopek [6] of the Drupal Security Team Fixed By: * David Snopek [7] of the Drupal Security Team * Jürgen Haas [8] Coordinated By: * David Snopek [9] of the Drupal Security Team [1] https://www.drupal.org/project/drd_agent [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/2965986 [4] https://www.drupal.org/node/2965984 [5] https://www.drupal.org/node/2965982 [6] https://www.drupal.org/user/266527 [7] https://www.drupal.org/user/266527 [8] https://www.drupal.org/user/168924 [9] https://www.drupal.org/user/266527

1 0

JSON API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021
by security-news＠drupal.org 25 Apr '18

25 Apr '18

View online: https://www.drupal.org/sa-contrib-2018-021 Project: JSON API [1] Version: 8.x-1.15 Date: 2018-April-25 Security risk: *Moderately critical* 11∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross Site Request Forgery Description: This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication. This vulnerability is mitigated by the fact that an attacker must be allowed to create or modify entities of a certain type, and a very specific and uncommon CORS configuration that allows all other pre-checks to be skipped. Solution: Install the latest version: * If you use the JSON API module for Drupal 8.x, upgrade to 8.x-1.16 [3] Reported By: * Mateu Aguiló Bosch (e0ipso) [4] Fixed By: * Mateu Aguiló Bosch (e0ipso) [5] * Wim Leers [6] * Daniel Wehner (dawehner) [7] * Gabe Sullice [8] Coordinated By: * Michael Hess [9] of the Drupal Security Team [1] https://www.drupal.org/project/jsonapi [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/jsonapi/releases/8.x-1.16 [4] https://www.drupal.org/user/550110 [5] https://www.drupal.org/user/550110 [6] https://www.drupal.org/user/99777 [7] https://www.drupal.org/user/99340 [8] https://www.drupal.org/user/2287430 [9] https://www.drupal.org/u/mlhess

1 0

Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020
by security-news＠drupal.org 25 Apr '18

25 Apr '18

View online: https://www.drupal.org/sa-contrib-2018-020 Project: Media [1] Version: 7.x-2.18 Date: 2018-April-25 Security risk: *Critical* 18∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Remote Code Execution Description: The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site. The module contained a vulnerability similar to SA-CORE-2018-004 [3], leading to a possible remote code execution (RCE) attack. Solution: Install the latest version: * If you use the Media module for Drupal 7.x-2.x, upgrade to Media 7.x-2.19 [4] Coordinated By: * Dave Reid [5] the module maintainer and member of the Drupal Security Team [1] https://www.drupal.org/project/media [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2018-004 [4] https://www.drupal.org/project/media/releases/7.x-2.19 [5] https://www.drupal.org/u/dave-reid

1 0

Drupal core - Critical - Remote Code Execution - SA-CORE-2018-004
by security-news＠drupal.org 25 Apr '18

25 Apr '18

View online: https://www.drupal.org/sa-core-2018-004 Project: Drupal core [1] Date: 2018-April-25 Security risk: *Critical* 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Remote Code Execution Description: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002 [3]. While SA-CORE-2018-002 is being exploited in the wild, this vulnerability is not known to be in active exploitation as of this release. Solution: Upgrade to the most recent version of Drupal 7 or 8 core. * If you are running 7.x, upgrade to Drupal 7.59 [4]. * If you are running 8.5.x, upgrade to Drupal 8.5.3 [5]. * If you are running 8.4.x, upgrade to Drupal 8.4.8 [6]. (Drupal 8.4.x is no longer supported and we don't normally provide security releases for unsupported minor releases [7]. However, we are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.) If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely: * Patch for Drupal 8.x [8] (8.5.x and below) * Patch for Drupal 7.x [9] These patches will only work if your site already has the fix from SA-CORE-2018-002 [10] applied. (If your site does not have that fix, it may already be compromised [11].) Reported By: * David Rothstein [12] of the Drupal Security Team * Alex Pott [13] of the Drupal Security Team * Heine Deelstra [14] of the Drupal Security Team * Jasper Mattsson [15] Fixed By: * David Rothstein [16] of the Drupal Security Team * xjm [17] of the Drupal Security Team * Samuel Mortenson [18] of the Drupal Security Team * Alex Pott [19] of the Drupal Security Team * Lee Rowlands [20] of the Drupal Security Team * Heine Deelstra [21] of the Drupal Security Team * Pere Orga [22] of the Drupal Security Team * Peter Wolanin [23] of the Drupal Security Team * Tim Plunkett [24] * Michael Hess [25] of the Drupal Security Team * Nate Lampton [26] * Jasper Mattsson [27] * Neil Drumm [28] of the Drupal Security Team * Cash Williams [29] of the Drupal Security Team * Daniel Wehner [30] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2018-002 [4] https://www.drupal.org/project/drupal/releases/7.59 [5] https://www.drupal.org/project/drupal/releases/8.5.3 [6] https://www.drupal.org/project/drupal/releases/8.4.8 [7] https://www.drupal.org/core/release-cycle-overview [8] https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=bb6d396609600d1169da… [9] https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=080daa38f265ea28444c54… [10] https://www.drupal.org/sa-core-2018-002 [11] https://www.drupal.org/psa-2018-002 [12] https://www.drupal.org/user/124982 [13] https://www.drupal.org/user/157725 [14] https://www.drupal.org/user/17943 [15] https://www.drupal.org/user/521118 [16] https://www.drupal.org/user/124982 [17] https://www.drupal.org/user/65776 [18] https://www.drupal.org/user/2582268 [19] https://www.drupal.org/user/157725 [20] https://www.drupal.org/user/395439 [21] https://www.drupal.org/user/17943 [22] https://www.drupal.org/user/2301194 [23] https://www.drupal.org/user/49851 [24] https://www.drupal.org/user/241634 [25] https://www.drupal.org/user/102818 [26] https://www.drupal.org/user/35821 [27] https://www.drupal.org/user/521118 [28] https://www.drupal.org/user/3064 [29] https://www.drupal.org/user/421070 [30] https://www.drupal.org/user/99340

1 0

Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003
by security-news＠drupal.org 23 Apr '18

23 Apr '18

View online: https://www.drupal.org/psa-2018-003 There will be a security release of * Drupal 7.x, 8.4.x, and 8.5.x on April 25th, 2018 between 16:00 - 18:00 UTC*. This PSA is to notify that the Drupal core release is outside of the regular schedule [1] of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page. This security release is a follow-up to the one released as SA-CORE-2018-002 [2] on March 28. * Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure. * Sites on 8.4.x should immediately update to the 8.4.8 release that will be provided in the advisory, and then plan to update to 8.5.3 or the latest security release as soon as possible (since 8.4.x no longer receives official security coverage). The security advisory will list the appropriate version numbers for each branch. Your site's update report page will recommend the 8.5.x release even if you are on 8.4.x or an older release, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update. Patches for Drupal 7.x, 8.4.x, 8.5.x and 8.6.x will be provided in addition to the releases mentioned above. (If your site is on a Drupal 8 release older than 8.4.x, it no longer receives security coverage and will not receive a security update. The provided patches may work for your site, but upgrading is strongly recommended as older Drupal versions contain other disclosed security vulnerabilities.) This release will not require a database update. The CVE for this issue is CVE-2018-7602. The Drupal-specific identifier for the issue will be SA-CORE-2018-004. The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, over Twitter, and in email for those who have subscribed to our email list. To subscribe to the email list: login on Drupal.org, go to your user profile page, and subscribe to the security newsletter on the Edit » My newsletters tab. Journalists interested in covering the story are encouraged to email security-press(a)drupal.org to be sure they will get a copy of the journalist-focused release. The Security Team will release a journalist-focused summary email at the same time as the new code release and advisory. If you find a security issue, please report it at https://www.drupal.org/security-team/report-issue. [1] https://www.drupal.org/node/1173280 [2] https://www.drupal.org/sa-core-2018-002

1 0

Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019
by security-news＠drupal.org 18 Apr '18

18 Apr '18

View online: https://www.drupal.org/sa-contrib-2018-019 Project: Display Suite [1] Version: 7.x-2.147.x-1.9 Date: 2018-April-18 Security risk: *Critical* 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross site scripting (XSS) Description: Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. The module doesn't sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting (XSS) attack. This vulnerability is mitigated only by the fact that most modern browsers protect against reflected XSS via the url. Solution: * If you use the Display Suite module for Drupal 7.x-1.x, upgrade to Display Suite 7.x-1.10 [3] * If you use the Display Suite module for Drupal 7.x-2.x, upgrade to Display Suite 7.x-2.15 [4] Reported By: * Liz Pringi [5] Fixed By: * Kristof De Jaeger [6] the module maintainer Coordinated By: * Rick Manelius [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/ds [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ds/releases/7.x-1.10 [4] https://www.drupal.org/project/ds/releases/7.x-2.15 [5] https://www.drupal.org/u/epringi [6] https://www.drupal.org/u/swentel [7] https://www.drupal.org/u/rickmanelius [8] https://www.drupal.org/u/greggles

1 0

Menu Import and Export - Critical - Access bypass - SA-CONTRIB-2018-018
by security-news＠drupal.org 18 Apr '18

18 Apr '18

View online: https://www.drupal.org/sa-contrib-2018-018 Project: Menu Import and Export [1] Version: 8.x-1.0 Date: 2018-April-18 Security risk: *Critical* 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Uncommon [2] Vulnerability: Access bypass Description: This module helps in exporting and importing Menu Items via the administrative interface. The module does not properly restrict access to administrative pages, allowing anonymous users to export and import menu links. There is no mitigation for this vulnerability. Solution: Update to Menu Import and Export 8.x-1.2 [3]. Reported By: * Nathan Dentzau [4] Fixed By: * Sandeep Reddy [5] Coordinated By: * Samuel Mortenson [6] of the Drupal Security Team * Michael Hess [7] of the Drupal Security Team [1] https://www.drupal.org/project/menu_export [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/menu_export/releases/8.x-1.2 [4] https://www.drupal.org/u/nathandentzau [5] https://www.drupal.org/u/sandeepguntaka [6] https://www.drupal.org/u/samuelmortenson [7] https://www.drupal.org/u/mlhess

1 0

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003
by security-news＠drupal.org 18 Apr '18

18 Apr '18

View online: https://www.drupal.org/sa-core-2018-003 Project: Drupal core [1] Date: 2018-April-18 Security risk: *Moderately critical* 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting Description: CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability [3]. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses). We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window. Solution: * If you are using Drupal 8, update to Drupal 8.5.2 [4] or Drupal 8.4.7 [5]. * The Drupal 7.x CKEditor contributed module [6] is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable. * If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG [7] module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor's site [8]. Reported By: * Kyaw Min Thein [9] Fixed By: * Marek Lewandowski [10] of the CKEditor team * Wiktor Walc [11] of the CKEditor team * Wim Leers [12] * xjm [13] Of the Drupal Security Team * Lee Rowlands [14] of the Drupal Security Team * Daniel Wehner [15] * Hai-Nam Nguyen [16] * Matthew Grill [17] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/ [4] https://www.drupal.org/project/drupal/releases/8.5.2 [5] https://www.drupal.org/project/drupal/releases/8.4.7 [6] https://www.drupal.org/project/ckeditor [7] https://www.drupal.org/project/wysiwygw [8] https://ckeditor.com/ckeditor-4/download/ [9] https://www.drupal.org/user/3560461 [10] https://www.drupal.org/user/3339830 [11] https://www.drupal.org/user/184556 [12] https://www.drupal.org/u/wim-leers [13] https://www.drupal.org/u/xjm [14] https://www.drupal.org/user/395439 [15] https://www.drupal.org/user/99340 [16] https://www.drupal.org/user/210762 [17] https://www.drupal.org/user/1602706

1 0

Drupal Core - Highly Critical - Public Service announcement - PSA-2018-002
by security-news＠drupal.org 13 Apr '18

13 Apr '18

View online: https://www.drupal.org/psa-2018-002 * Advisory ID: PSA-2018-002 * Project: Drupal core [1] * Version: 7.x, 8.x * Date: 2018-April-13 * Security risk: 25/25 (Highly Critical) AC:None/A:None/CI:All/II:All/E:Exploit/TD:All [2] -------- DESCRIPTION --------------------------------------------------------- This Public Service Announcement is a follow-up to SA-CORE-2018-002 - Drupal core - RCE [3]. This is *not* an announcement of a new vulnerability. If you have not updated your site as described in SA-CORE-2018-002 you should assume your site has been targeted and follow directions for remediation as described below. The security team is now aware of automated attacks attempting to compromise Drupal 7 and 8 websites using the vulnerability reported in SA-CORE-2018-002 [4]. Due to this, the security team is increasing the security risk score of that issue to 25/25 *Sites not patched by Wednesday, 2018-04-11 may be compromised.* This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that. *Simply updating Drupal will not remove backdoors or fix compromised sites.* If you find that your site is already patched, but you didn’t do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site. .... What to do if your site may be compromised Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack. Take a look at our help documentation, ”Your Drupal site got hacked, now what.” [5] .... Recovery Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access. Removing a compromised website’s backdoors is difficult because it is very difficult to be certain all backdoors have been found. If you did not patch, you should restore from a backup. While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch. For more information please refer to this guide on hacked sites. [6] -------- CONTACT AND MORE INFORMATION ---------------------------------------- We prepared a FAQ that was released when SA-CORE-2018-002 was published. Read more at FAQ on SA-CORE-2018-002 [7]. The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/SA-CORE-2018-002 [4] https://www.drupal.org//www.drupal.org/sa-core-2018-002 [5] https://www.drupal.org/node/2365547 [6] https://www.drupal.org/node/2365547 [7] https://groups.drupal.org/security/faq-2018-002 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration

1 0