Drupal Patch Critical Remote Code Execution Flaw in its Core - Update with Technical details

Critical Remote code execution bug fixed on Drupal core
If you are having the Drupal CMS websites then its time to update your CMS version immediately, as  Drupal security team have recently patched critical remote code execution bug on the Drupal Core.

The bug has been reported by Samuel Mortenson of Drupal security team, which identified as CVE-2019-6340 whose severity is highly critical, is a Remote Code Execution bug on Drupal Core where some field types do not properly sanitize data from non-form sources which lead to arbitrary PHP code execution in some case.

On the advisory Drupal team said the site is only affected by this bug if one of the following conditions is met:
  • The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
  • The site has another web services module enabled, like JSON: API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
 Furthermore, advisory also have guidelines to mitigate the issue as -
  • If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
  • If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
  • Be sure to install any available security updates for contributed projects after updating Drupal core.
  • No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.
It is also recommended to disable all web services modules or configure your web server(s) to not allow PUT/PATCH/POST requests to web services resources. Note that web services resources may be available on multiple paths depending on the configuration of your server(s). For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the "q" query argument. For Drupal 8, paths may still function when prefixed with index.php/.

Technical Details -
After Drupal team release the advisory for the bug, researcher from Tencent secure cloud Ding Laboratory started digging up on the issue.

On their research they found that vulnerability is triggered by enabling RESTful Web Services and allowing POST / PATCH requests.

Depending on the configuration of Drupal, this vulnerability may be triggered without any permissions, but is not universal. Once the vulnerability is exploited, an attacker can execute arbitrary PHP code directly on the Web server, causing the server to be compromised and user information to be compromised.

On the blogpost they mentioned that the root cause of bug was at Deserialization operation.
Furthermore, researcher also shared the POC video showing the calculator popping on the server system.
An attacker can use this deserialization to execute arbitrary code on the server.
Read Also
Post a Comment