==================================================================== CERT-Renater Note d'Information No. 2016/VULN276 _____________________________________________________________________ DATE : 15/07/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Drupal versions 7.x with RESTWS, Coder, Webform Multiple File Upload. ===================================================================== https://www.drupal.org/psa-2016-001 https://www.drupal.org/node/2765567 https://www.drupal.org/node/2765575 https://www.drupal.org/node/2765573 ____________________________________________________________________ Drupal contrib - Highly Critical - Remote code execution PSA-2016-001 Posted by Drupal Security Team on July 12, 2016 at 3:18pm Advisory ID: DRUPAL-PSA-2016-001 Project: Drupal contributed modules Version: 7.x Date: 2016-July-12 Security risk: 22/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All Vulnerability: Arbitrary PHP code execution Update: Release Annoucements The following modules have security releases that are now available, listed in order of severity. There are no more releases planned for today. RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040 Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039 Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038 Description There will be multiple releases of Drupal contributed modules on Wednesday July 13th 2016 16:00 UTC that will fix highly critical remote code execution vulnerabilities (risk scores up to 22/25). These contributed modules are used on between 1,000 and 10,000 sites. The Drupal Security Team urges you to reserve time for module updates at that time because exploits are expected to be developed within hours/days. Release announcements will appear at the standard announcement locations. Drupal core is not affected. Not all sites will be affected. You should review the published advisories on July 13th 2016 to see if any modules you use are affected. Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity Edited to add: approximate usage of the modules, links to the final releases, that there are no more releases for today.. ⋅ Categories: Drupal 7.x ____________________________________________________________________ RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040 Posted by Drupal Security Team on July 13, 2016 at 3:01pm Advisory ID: DRUPAL-SA-CONTRIB-2016-040 Project: RESTful Web Services (third-party module) Version: 7.x Date: 2016-July-13 Security risk: 22/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All Vulnerability: Arbitrary PHP code execution Description This module enables you to expose Drupal entities as RESTful web services. RESTWS alters the default page callbacks for entities to provide additional functionality. A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution. There are no mitigating factors. This vulnerability can be exploited by anonymous users. CVE identifier(s) issued A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected RESTful Web Services 7.x-2.x versions prior to 7.x-2.6. RESTful Web Services 7.x-1.x versions prior to 7.x-1.7. Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do. Solution Install the latest version: If you use the RESTful Web Services module for Drupal 7.x, upgrade to RESTful Web Services 7.x-2.6 If you use the RESTful Web Services module for Drupal 7.x, upgrade to RESTful Web Services 7.x-1.7 Also see the RESTful Web Services project page. Reported by Devin Zuczek Fixed by Klaus Purer of the Drupal Security Team Wolfgang Ziegler the module maintainer Coordinated by Klaus Purer of the Drupal Security Team Greg Knaddison of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity ⋅ Categories: Drupal 7.x ____________________________________________________________________ Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039 Posted by Drupal Security Team on July 13, 2016 at 2:59pm Advisory ID: DRUPAL-SA-CONTRIB-2016-039 Project: Coder (third-party module) Version: 7.x Date: 2016-July-13 Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All Vulnerability: Arbitrary PHP code execution Description The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules. The module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary php code. There are no mitigating factors. The module does not need to be enabled for this to be exploited. Its presence on the file system and being reachable from the web are sufficient. CVE identifier(s) issued A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected Coder module 7.x-1.x versions prior to 7.x-1.3. Coder module 7.x-2.x versions prior to 7.x-2.6. Drupal core is not affected. If you do not use the contributed Coder module, there is nothing you need to do. Solution Two solutions are possible. A first option is to remove the module from all publicly available websites: The coder module is intended to be used in development environments and is not intended to be on publicly available servers. Therefore, one simple solution is to remove the entire coder module directory from any publicly accessible website. A second option is to install the latest version: If you use the Coder module for Drupal 7.x, upgrade to Coder 7.x-1.3 or Coder 7.x-2.6. Also see the Coder project page. Reported by Nicky Bloor Fixed by Jim Berry the module maintainer David Rothstein of the Drupal Security Team Coordinated by Greg Knaddison of the Drupal Security Team Michael Hess of the Drupal Security Team Klaus Purer of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity ⋅ Categories: Drupal 7.x ____________________________________________________________________ Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038 Posted by Drupal Security Team on July 13, 2016 at 2:58pm Advisory ID: DRUPAL-SA-CONTRIB-2016-038 Project: Webform Multiple File Upload (third-party module) Version: 7.x Date: 2016-July-13 Security risk: 17/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default Vulnerability: Arbitrary PHP code execution Description The Webform Multiple File Upload module allows users to upload multiple files on a Webform. The Webform Multifile File Upload module contains a Remote Code Execution (RCE) vulnerability where form inputs will be unserialized and a specially crafted form input may trigger arbitrary code execution depending on the libraries available on a site. This vulnerability is mitigated by the fact that an attacker must have the ability to submit a Webform with a Multiple File Input field. Further, a site must have an object defined with methods that are invoked at wake/destroy that include code that can be leveraged for malicious purposes. Drupal 7 Core contains one such class which can be used to delete arbitrary files, but contributed or custom classes may include methods that can be leveraged for RCE. Note: this vulnerability exists in the Webform Multiple File Upload (webform_multifile) module. There is a similarly named module Webform Multiple File (webform_multiple_file) which is not related to this issue. CVE identifier(s) issued A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected Webform Multifile 7.x-1.x versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed Webform Multiple File Upload module, there is nothing you need to do. Solution Install the latest version: If you use the Webform Multifile module for Drupal 7.x, upgrade to Webform Multiple File Upload 7.x-1.4 Also see the Webform Multiple File Upload project page. Reported by Ben Dougherty of the Drupal Security Team Fixed by Jelle Sebreghts the module maintainer Peter Droogmans the module maintainer Coordinated by Ben Dougherty of the Drupal Security Team Greg Knaddison of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity ⋅ Categories: Drupal 7.x ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================