I wish to provide a respectful shout to the following security advisories and news articles for their coverage of critical security vulnerabilities within Cisco IOS XE and the Drupal CMS (defined) released on the 28th and 29th of March respectively.
The backdoor (defined) account being remediated within the Cisco IOS XE update could have allowed an unauthenticated attack to remotely access the Cisco router or an affected switch and carry out any action allowed by privilege level 15
Meanwhile the Drupal vulnerability (dubbed “Drupalgeddon2”) is rated as highly critical since the vulnerability is both remotely exploitable and easy for an attacker to leverage allowing the attacker to carry out any action they choose.
Please follow the advice within the below linked to advisories and update any affected installations of these products that your organisation may have:
The widely used website Content Management System (CMS)(defined) Drupal in late February released security updates for versions 6, 7 and 8.
10 security issues were addressed (of the severities listed below) by the released security updates:
6x moderately critical
3x less critical
Drupal users should upgrade to versions 6.38, 7.43 or 8.0.4 as appropriate. Further information and steps to install the updates are available in Drupal’s Security Advisory.
As noted by Drupal version 6 has reached its end of life (EOL) and will no longer receive security updates going forward. Further information is provided in this dedicated page.
Moreover, in early January an IOACtive senior security consultant Fernando Arnaboldi disclosed 3 security issues in a blog post. While these issues were responsibly disclosed to Drupal at the time of writing they have not addressed them. As advised within that blog post for those who administer Drupal installations they may wish to manually download updates for Drupal and its add-ons in order to work around these issues until they are addressed.
Security updates for Drupal (the popular Content Management System (CMS)) modules have been available earlier this week.
Security advisories were published addressing 2 moderately critical issues found within these modules.
For the Twitter module, an issue was discovered that allowed any authenticated account to post tweets rather than just the Twitter account belonging to the owner of the installed module. This issue would also allow any other account to delete the attached Twitter account. A partial mitigation is that an attacker would need to already have an account with a role allowing them to post to Twitter.
The second advisory concerns the user of the RESTful API (Application Programming Interface). Authenticated users could inadvertently have their pages cached as anonymous users which potentially could allow anonymous page requests to access pages that would otherwise be denied to them.
How Can I Protect Myself From These Issues?
If you make use of either of the above mentioned modules in conjunction with Drupal, please follow the steps/links within the advisories listed below to resolve these issues:
Drupal the very popular website Content Management System (CMS) released security updates earlier this month to resolve 5 security issues within versions 6 and 7 of their product.
Cross site scripting (defined) issues were found in the Drupal.ajax() function (a set of instructions that carries out a specific action within a program) and within the autocomplete functionality of forms.
An SQL injection (defined) vulnerability was found in the SQL comment filtering system which could allow a user (once tricked/coerced by an attacker) with elevated privileges to inject malicious code in SQL comments. Such SQL code injection usually results in a user seeing information that would usually be forbidden/denied to them.
A Cross-site Request Forgery (CSRF)(defined) issue within Drupal’s form API was found to allow the upload of a file by an attacker. However this file would only have been available for 6 hours. Finally an information disclosure issue was found where the titles of nodes (add-ons which are placed within the page viewed by the user) would be visible to a user (which they would not usually have access to). The titles of the nodes would be visible on a page of the site that the user does have access to (namely that a page would contain additional information not normally visible).
Drupal users should upgrade to versions 6.37 or 7.39 (as appropriate) to resolve to these issues. Further information and steps to install the updates are available in this Drupal Security Advisory.
The very popular website Content Management System (CMS) Drupal has released security updates to resolve 3 security issues within version 7 of their product when the Open Semantic Framework (OSF) module is installed.
One issue involves a Cross-site Scripting (XSS) that can be exploited by visiting a specifically crafted URL (a website link) but only when the OSF Ontology module is installed and enabled within your website.
The second issue can be exploited using a Cross Site Request Forgery (CSRF) attack that would allow the attack to obtain the privileges of the logged in Drupal user (which could be a Drupal administrator) to create new OSF datasets (most likely to contain false or misleading data). Only websites that have the OSF Import module installed and enabled could be vulnerable to this issue.
The final issue is present in both the OSF Import and Ontology modules mentioned above and could allow an attacker to delete any file of their choice from your Content Management System (CMS).
All 3 issues involve a user or an administrator of the Content Management System visiting a specifically crafted URL (a website link) to exploit these vulnerabilities. In order to reduce the risk of these issues being exploited (this should be used in conjunction with installing the necessary updates mentioned in the Drupal advisory) I would suggest using caution when clicking on any links in emails, instant messages or social networking posts when the links were received unexpectedly or the wording of such messages is suspicious. For shortened links, consider using a preview service to check the destination of the full link before visiting it. Links to preview services are available within the “Protecting Your PC” page of this blog.
Drupal users should upgrade to version 7.x-3.1 of the OSF module to resolve to these issues. Further information and steps to install the updates are available in the Drupal Security Advisory.
The very popular website Content Management System Drupal has released security updates to resolve 4 CVEs within versions 6 and 7 of their product. Their pervasiveness of Drupal and thus the huge scale of the risks posed by these issues is detailed in this blog post.
For a definition of the term CVE, please see the first short aside within this blog post for an explanation.
The first security flaw relating to the impersonation of legitimate users (of the Content Management System) is the only flaw to be rated critical by Drupal and should be patched/updated immediately. This flaw could allow a malicious user to log in as an authenticated user (i.e. users who are legitimately accessing the Content Management System) and could be especially severe if that authorized user has high privileges.
A further 2 less critical flaws could cause authenticated users to be re-directed to 3rd party websites of the attacker’s choice without the user’s consent/permission and could place your users in danger of being exploited by other unpatched vulnerabilities on their devices. The final flaw is an information disclosure issue that could allow malicious users to view the content that was previously cached (when they legitimately viewed it) by authenticated users.
Drupal users should upgrade to versions 6.36 or 7.38 to resolve to these issues. Further information and steps to install the updates are available in the Drupal Security Advisory.