Debian DSA-3075-1 : drupal7 - security update

2014-11-2100:00:00

www.tenable.com

Two vulnerabilities were discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues :

CVE-2014-9015 Aaron Averill discovered that a specially crafted request can give a user access to another user’s session, allowing an attacker to hijack a random session.
CVE-2014-9016 Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that the password hashing API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

Custom configured session.inc and password.inc need to be audited as well to verify if they are prone to these vulnerabilities. More information can be found in the upstream advisory at

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3075. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(79362);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2014-9015", "CVE-2014-9016");
  script_bugtraq_id(71195);
  script_xref(name:"DSA", value:"3075");

  script_name(english:"Debian DSA-3075-1 : drupal7 - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Two vulnerabilities were discovered in Drupal, a fully-featured
content management framework. The Common Vulnerabilities and Exposures
project identifies the following issues :

  - CVE-2014-9015
    Aaron Averill discovered that a specially crafted
    request can give a user access to another user's
    session, allowing an attacker to hijack a random
    session.

  - CVE-2014-9016
    Michael Cullum, Javier Nieto and Andres Rojas Guerrero
    discovered that the password hashing API allows an
    attacker to send specially crafted requests resulting in
    CPU and memory exhaustion. This may lead to the site
    becoming unavailable or unresponsive (denial of
    service).

Custom configured session.inc and password.inc need to be audited as
well to verify if they are prone to these vulnerabilities. More
information can be found in the upstream advisory at"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2014-9015"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2014-9016"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/wheezy/drupal7"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2014/dsa-3075"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the drupal7 packages.

For the stable distribution (wheezy), these problems have been fixed
in version 7.14-2+deb7u8."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:drupal7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/11/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/21");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"drupal7", reference:"7.14-2+deb7u8")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

VendorProductVersionCPE
debiandebian_linuxdrupal7p-cpe:/a:debian:debian_linux:drupal7
debiandebian_linux7.0cpe:/o:debian:debian_linux:7.0

Vendor	Product	Version	CPE
debian	debian_linux	drupal7	p-cpe:/a:debian:debian_linux:drupal7
debian	debian_linux	7.0	cpe:/o:debian:debian_linux:7.0

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9015

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9016

packages.debian.org/source/wheezy/drupal7

security-tracker.debian.org/tracker/CVE-2014-9015

security-tracker.debian.org/tracker/CVE-2014-9016

www.debian.org/security/2014/dsa-3075

JSON

Related for DEBIAN_DSA-3075.NASL