Drupal fixes RCE and other Vulnerabilities
Drupal’s security team has fixed three vulnerabilities in the popular content management system’s core, one of which (CVE-2020-13663) could be exploited to achieve remote code execution.
What is Drupal?
Three security holes have been plugged with the latest versions of Drupal core (9.0.1):
1) CVE-2020-13664 is the most critical one, but can be only triggered under certain circumstances.
2) CVE-2020-13665 is an access bypass flaw that can be exploited only on sites that have the read-only set to FALSE under jsonapi.settings configuration.
How attackers exploit the vulnerability:
CVE-2020-13664- “An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force remote code execution vulnerability,” Drupal’s security team explained, and added that Windows servers are most likely to be affected.
CVE-2020-13665 – The attacker can only exploit the vulnerability on the sites that have the
set to under
CVE-2020-13663- “An attacker abusing this vulnerability can take over the administrator role of a Drupal-based website and get full control that allows changing of content, creating malicious links, stealing sensitive or financial data, or whatever else comes to mind.” .Therefore, it is vulnerable to remote code execution (RCE ).
8.8. x, 8.9.x and 9.0.x.
It is recommended to consider the following best practices:
1. Admins of Drupal-based sites are advised to upgrade to Drupal v7.72, 8.8.8, 8.9.1 or 9.0.1.Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
2. Drupal v7.x is still maintained and receives security updates, but it will reach end-of-life in November of 2021, so admins that use it are urged to start planning the upgrade to a newer version, preferably 9.x
3. Keep Drupal and module up to date.
4. To Prevent Remote Code Execution:
- Try to blacklist special chars or function names.
- Pass any user controlled input inside evaluation functions or callbacks.