CIS Logo
tagline: Confidence in the Connected World
HomeResourcesAdvisoriesMultiple Vulnerabilities in Drupal Could Allow for Security Bypass

Multiple Vulnerabilities in Drupal Could Allow for Security Bypass

MS-ISAC ADVISORY NUMBER:

2015-067

DATE(S) ISSUED:

06/18/2015

OVERVIEW:

Multiple vulnerabilities have been discovered in Drupal core modules. Drupal is an open source content management system (CMS) written in PHP.

Successful exploitation of these vulnerabilities could allow an unauthorized user to hijack other user accounts - including ones with administrative privileges, allow for user redirection to potentially malicious sites, or disclose private information.

THREAT INTELLIGENCE:

There are currently no known exploits in the wild.

SYSTEMS AFFECTED:

  • Drupal core 6.x versions prior to 6.36
  • Drupal core 7.x versions prior to 7.38

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

Drupal core modules are prone to multiple vulnerabilities. These vulnerabilities are as follows:

User impersonation/access bypass in the OpenID module (CVE-2015-3234)
Open redirect in Field UI an Overlay modules (CVE-2015-3232, CVE-2015-3233)
Information disclosure in the Render cache system (CVE-2015-3231)
Successful exploitation of these vulnerabilities could allow an unauthorized user to hijack other user accounts - including ones with administrative privileges, allow for user redirection to potentially malicious sites, or disclose private information.

RECOMENDATIONS:

We recommend the following actions be taken:

Update Drupal core to the latest version, after appropriate testing.
Run all software as a non-privileged user to diminish effects of a successful attack.
Limit user account privileges to those required only.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Information Hub: Advisories



Pencil Media mention 16 Feb 2018

Pencil Blog post 16 Feb 2018

Pencil White paper 16 Feb 2018