'You're updated!' Drupal says, with fingers crossed behind back

Next Drupalgeddon is really gunna sting


Drupal installations could be out of date and open to attack thanks to a borked update process that flags unpatched platforms as current.

The popular content management system is used by more than a million sites making it a significant target for hackers.

Indeed, in October 2014 attackers took mere hours to compromise untold piles of sites whose admins had failed to apply a patch against a dangerous SQL injection flaw.

Drupal at the time went as far as to proclaim all unpatched sites are considered compromised unless patches were immediately applied.

All new Drupal installs are affected by the borked update mechanism and fixes are not yet available. Drupal has been informed of the risk.

IOActive research man Fernando Arnaboldi says sites are now at risk of future attack because Drupal 7 and 8 platforms are being marked as up-to-date, even if the automated patching process fails due to dead internet links.

"Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning," Arnaboldi says.

"The issue was due to some sort of network problem.

"...in Drupal 6 there was a warning message in place, but this is not present in Drupal 7 or Drupal 8."

Arnaboldi finds other flaws including that the update process is made over HTTP instead of HTTPS opening the possibility for man-in-the-middle attacks over public networks.

Those network lurkers could, thanks to a known cross-site request forgery hole in Drupal versions below 8, trigger a manual update pointing to their backdoored version of the platform.

They could also cause installations to issue infinite update requests, chewing bandwidth.

Failures to verify the legitimacy of downloaded updates could also lead to remote code execution, according to Arnaboldi. ®


Other stories you might like

  • To cut off all nearby phones with these Chinese chips, this is the bug to exploit
    Android patches incoming for NAS-ty memory overwrite flaw

    A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.

    The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.

    Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.

    Continue reading
  • That critical vulnerability might not be the first you should patch
    Startup Rezilion suggests enterprises should change prioritization strategies

    Enterprise security teams being overrun by the rising numbers of vulnerabilities uncovered each day could vastly reduce their patching workload by changing how they prioritize the flaws, according to recent research from vulnerability startup Rezilion.

    Most enterprises look to the ratings given to flaws in the Common Vulnerability Scoring System (CVSS) framework, which range from 0 to 10 (with 10 being the highest) and are ranked as low and medium to high and critical, depending on the characteristics of the vulnerability.

    Companies will start their remediation efforts with the vulnerabilities deemed "critical" and work their way down, said Yotam Perkal, director of vulnerability research with Rezilion.

    Continue reading
  • Cisco EVP: We need to lift everyone above the cybersecurity poverty line
    It's going to become a human-rights issue, Jeetu Patel tells The Register

    RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.

    "It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. 

    "This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said. 

    Continue reading

Biting the hand that feeds IT © 1998–2022