Thanks to a broken update procedure, installations of the CMS Drupal appear to be telling users that they are up-to-date despite still using older software. As a result, the CMS is open to attack where poisonous update packages can be sent into the system and in worst case scenarios even take over servers.
All new Drupal installs are currently affected by the broken update process and a solution is not yet available. Drupal has been informed of the problem with the content management system that is used in more than one million websites worldwide.
The flaws were discovered by Fernando Arnaboldi, senior security researcher and consultant at IOActive, who is saying that sites are now at risk of future attack because Drupal 7 and 8 platforms are being marked as up-to-date. Because of this, failures to verify the legitimacy of downloaded updates could lead to remote code execution, according to Arnaboldi.
In a blog post Arnaboldi said, "Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.”
Pointing out a further two flaws, Arnaboldi highlights that the update process is made over HTTP instead of HTTPS. This opens up the possibility for man-in-the-middle attack over public wifi, for example.
Furthermore, thanks to a known cross-site request forgery hole in Drupal versions below 8, malicious users on public wifi networks could trigger a manual update pointing to their backdoored version of the platform.
In an email to SCMagazineUK.com, John Smith, principal solution architect at Veracode said, “It is highly concerning that potentially millions of sites have been left vulnerable to attack through issues with Drupal's update process. Applying security patches to software in a timely fashion is an essential part of any good security management process and when this becomes unreliable it leaves users with an unknown and unmanaged risk in their environment.”
He went on to say, “Amongst the Drupal community this will be an even more sensitive issue after many such websites were breached in 2014 within hours of disclosure of a SQL injection vulnerability, a common application vulnerability which for over a decade has been listed at the top of the industry standard OWASP Top 10. In those cases the sites that were compromised were ones that had failed to apply a critical security patch but unfortunately now, due to failures with its update process, even its most security conscious users are at risk of being compromised. With the shadow of Heartbleed still hanging over the open source community, it is essential that Drupal can assure its customers that all patches are up to scratch and can be deployed with confidence.”
He added: “Web application attacks remain one of the most frequent patterns in confirmed breaches and account for up to 35 percent of breaches in some industries, according to the 2015 Verizon Data Breach Investigations Report.”