Drupal Patches Critical Access Bypass Bug

Website management platform Drupal released several patches that address access bypass vulnerabilities in its Drupal 8 Core engine Wednesday, fixing one critical and two moderately critical security bugs.

The most serious of the vulnerabilities is the access bypass vulnerability (CVE-2017-6925) in Drupal 8 Core engine that could allow for remote unwanted access to the platform, allowing a third-party to view, create, update or delete entities. Drupal Core 8.x versions prior to 8.3.7 are vulnerable, according to the Drupal Security Team.

“This only affects entities that do not use, or do not have, UUIDs (Universal Unique Identifier), and entities that have different access restrictions on different revisions of the same entity,” according to the bulletin.

Currently, researchers who found the flaw (Maxim Podorov, Arshad, and Miles Worthington) said they were unaware of any working exploits for any of the vulnerabilities in Wednesday’s advisory.

Mitigation for all Drupal 8 CVEs includes updating to the latest version, Drupal 8.3.7.

A second access bypass vulnerability (CVE-2017-6923) also impacts Drupal 8 Core engine. “When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax,” described Drupal.

Mitigation against these type of attacks include ensuring administrators have access restrictions on the view and updating to the latest version of Drupal.

The remaining access bypass vulnerability (CVE-2017-6924) is tied to a REST API that can bypass comment approval allowing for users without the correct permission to post comments on webpages.

According to the advisory, only sites that have the RESTful Web Services module and the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments, said the Drupal Security Team.

Affected are Drupal versions 8.0 through 8.3.6.

Drupal 7 Core is not impacted by similar type vulnerabilities. However, Drupal 7 Views is, according to a separate advisory issued Wednesday. Views is a module allows administrators and site designers to create, manage, and display lists of content, according to Drupal.

The Views vulnerability is rated critical and also involves an access bypass vulnerability. The bug is identical to (CVE-2017-6923), also issued Wednesday. Impacted are Views versions prior to 7.x-3.17. Mitigation includes updating to the latest version. No CVE has been issued yet regarding the Views vulnerability.

Drupal has issued two prior security advisories regarding access bypass vulnerabilities. One in April also was tied to the RESTful Web Services module. Another advisory was issued in June for a bug that could lead to code execution via an access bypass vulnerability.