tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesMultiple Vulnerabilities in Drupal Could Allow for Security Bypass

Multiple Vulnerabilities in Drupal Could Allow for Security Bypass

MS-ISAC ADVISORY NUMBER:

2015-067

DATE(S) ISSUED:

06/18/2015

OVERVIEW:

Multiple vulnerabilities have been discovered in Drupal core modules. Drupal is an open source content management system (CMS) written in PHP.

Successful exploitation of these vulnerabilities could allow an unauthorized user to hijack other user accounts - including ones with administrative privileges, allow for user redirection to potentially malicious sites, or disclose private information.

THREAT INTELLIGENCE:

There are currently no known exploits in the wild.

SYSTEMS AFFECTED:

  • Drupal core 6.x versions prior to 6.36
  • Drupal core 7.x versions prior to 7.38

RISK:

Goverment:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

Drupal core modules are prone to multiple vulnerabilities. These vulnerabilities are as follows:

User impersonation/access bypass in the OpenID module (CVE-2015-3234)
Open redirect in Field UI an Overlay modules (CVE-2015-3232, CVE-2015-3233)
Information disclosure in the Render cache system (CVE-2015-3231)
Successful exploitation of these vulnerabilities could allow an unauthorized user to hijack other user accounts - including ones with administrative privileges, allow for user redirection to potentially malicious sites, or disclose private information.

RECOMENDATIONS:

We recommend the following actions be taken:

Update Drupal core to the latest version, after appropriate testing.
Run all software as a non-privileged user to diminish effects of a successful attack.
Limit user account privileges to those required only.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Information Hub: Advisories



Pencil Blog post 17 May 2017

Pencil White paper 17 May 2017

Pencil Press-release 17 May 2017