Thursday, July 14, 2016

Drupal vulnerabilities - patch now

If you have a Drupal website, patch now.  There are three different vulnerabilities for which patches have been released, all of them have potential for remote code execution.


For those that don't know, Drupal security uses a security scoring model that is different from CVE.  Rather than score vulnerabilities on a scale of 10 (10 being the worst), Drupal uses a scoring system based on the NIST Common Misuse Scoring System.  You can read more about that system here.  Alternatively, you can just accept that it's a scale from 0-25 (25 being the worst).  Of the three vulnerabilities, the lowest score is 17 and the highest is 22.  Any of those should give you pause.

The good news is that all installations are not vulnerable.  One vulnerability requires the Coder module to be installed (though not necessarily in use).  Another (the most serious IMO) requires REST services to be enabled.  A quick survey of clients who use Drupal indicates that this is a popular module to have enabled.  In other words, if Rendition Infosec clients are a representative population, this vulnerability is pretty serious.

Short term action items
The advice to stop what you are doing and patch now should be obvious, but I'll say it anyway.  Stop what you are doing and patch now.

Long term action items
Now on to the longer term advice.  Look at your patching program.  If your patching program can't keep up with vulnerabilities like this, seriously consider how you can improve it.  Drupal put out a PSA 12JUL16 that they were releasing the patches 13JUL16.  That's not much heads up.  But then again, we're talking about three different RCE vulnerabilities.  I'm happier that they provided a 24 hour heads up than none at all and definitely happier than having them sit on the vulnerabilities.

Even if you don't run Drupal, you need to consider how your shop would respond to a similar vulnerability where you had limited time to patch.  If the answer is that you need to convene a change control board meeting in two days to talk about the implications and then schedule an upcoming outage window to apply patches, you'll likely have been exploited by the time you apply the patch. Even if your house isn't on fire, now is a great time to fire drill.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.