Drupal releases fix for critical vulnerability with known exploits

Drupal has released a security update to address a critical vulnerability in a third-party library with documented or deployed exploits available in the wild.

“The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal,” the Drupal security team said.

Drupal is used by roughly 2.4% of all sites with content management systems, which makes it the Internet’s fifth most popular CMS, after WordPress (64.1%), Shopify (5.2%), Joomla (3.5%), and Squarespace (2.5%).

Security updates for all affected versions

According to Drupal’s security advisory, the vulnerability is caused by a bug in the PEAR Archive_Tar library used by the CMS tracked as CVE-2020-36193.

The bug causes out-of-path extraction vulnerabilities via “write operations with Directory Traversal due to inadequate checking of symbolic links.”

Successful exploitation requires access to user accounts with basic permissions on servers with uncommon module configurations.

Exploiting the Drupal vulnerability is only possible if the CMS is configured to allow and process .tar, .tar.gz, .bz2, or .tlz file uploads.

Following exploitation, attackers can modify or delete all data and can also gain access to all non-public data available on the compromised server.

Drupal recommends installing the following updates on affected servers:

“Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage,” Drupal’s security team added.

This vulnerability is related to another critical security flaw with known exploits caused by the CVE-2020-28948 bug in the PEAR Archive_Tar library that could allow for arbitrary PHP code execution on some CMS versions.

Drupal issued an out-of-band emergency security update to fix it in November allowing admins to quickly patch their servers to defend them against potential attacks.

Mitigation available

Mitigation measures are available for admins who cannot immediately deploy the security update on their Drupal servers.

To do that, they are advised to disable uploads of .tar, .tar.gz, .bz2, or .tlz files to temporarily mitigate the issue.

DHS-CISA has also issued an alert on Thursday urging admins and users to upgrade Drupal to block attackers from taking over unpatched servers.

Drupal patched another critical remote code execution vulnerability tracked as CVE-2020-13671 and allowing attackers to execute malicious code on vulnerable servers due to improper filenames sanitization for uploaded files.

“Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions: phar, PHP, pl, py, cgi, asp, js, HTML, htm, and phtml” Drupal said at the time.

“This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis.”