The Drupal Project has released patches for a highly critical vulnerability that affects all supported versions of the popular CMS, is very easy to exploit and can lead to a complete compromise of affected websites.
The vulnerability, which the Drupal Security Team warned users to prepare for since last week, exists in multiple subsystems of Drupal 6.x, 7.x and 8.x, so it can be attacked in several ways. Successful exploitation can be achieved remotely without authentication and allows attackers to access, modify or delete all data from websites.
Deployments with default or common module configurations are exploitable and existing mitigations are impractical because they involve making all affected pages inaccessible. Replacing the Drupal site with a static HTML page or using password-based “Basic Auth” to prevent access to the site are possible workarounds until patches are applied, but simply enabling Drupal’s maintenance mode is not.
Administrators are advised to update their Drupal deployments to versions 7.58 or 8.5.1. The 8.3.9 and 8.4.6 updates have also been released for the 8.3.x and 8.4.x branches, which technically are no longer supported. After applying the patches, users of these versions are strongly encouraged to upgrade to 8.5.1.
Drupal 6, which reached end of life in February 2016, is also affected, but limited support continues to be provided through a community program called Drupal 6 LTS (Long Term Support). Patches for this vulnerability are available through that project.
According to the Drupal Project’s usage information, the number of sites running vulnerable Drupal versions is more than 1 million, including 9 percent of the top 10,000 sites on the internet that are powered by a known content management system.
“It has been a while since such a dangerous and easily exploitable RCE vulnerability has been discovered on such a popular CMS as Drupal,” said Ilia Kolochenko, the CEO of web security company High-Tech Bridge, via email. “We can expect a massive exploitation of the vulnerability in the wild already by this afternoon. The situation is seriously aggravated by the Easter break, as many security and IT people will be away, granting attackers a huge advantage.”
According to Kolochenko, many organizations also have a “shadow IT” problem, where they don’t even have an inventory of the web applications on their networks. This makes it difficult to respond quickly to mitigate risks when serious flaws such as this one are found.
Cisco Fixes Critical Flaws in IOS and IOS XE Software
Cisco Systems has released security updates for its IOS and IOS XE network infrastructure software that’s used in routers and switches to fix 22 vulnerabilities, including three critical ones.
One vulnerability rated with 9.8 out of 10 on the CVSS scale is located in the quality of service (QoS) subsystem of Cisco IOS and Cisco IOS XE. It’s a buffer overflow condition in the processing of packets sent to the device on UDP port 18999 and can allow attackers to execute arbitrary code on affected devices with elevated privileges.
“Customers who do not use the Adaptive QoS for DMVPN feature can deny all traffic destined to UDP port 18999 on an affected device by using a Control Plane Policing (CoPP) policy,” Cisco said in an advisory that explains how such a policy would look. Customers who can’t do this will have to update to a patched software version in order to protect their devices.
Another critical vulnerability is located in the Smart Install feature and can be exploited by sending malformed packages to affected devices on TCP port 4786. Successful exploitation can allow attackers to trigger a reload of the device, to execute arbitrary code on it or to cause an indefinite loop.
Cisco Smart Install is a plug-and-play configuration and image-management feature that allows customers to automatically deploy new switches in remote locations. The flaw affects both IOS and IOS XE.
The third critical vulnerability only affects IOS XE and consists of an undocumented user account with privilege level 15 that has a default username and password. Attackers could simply authenticate on affected devices with these credentials and gain privileged access.