Bugs in Drupal’s update process could lead to backdoored updates, site compromise

Read the most important news and product releases from RSA Conference 2018.

Drupal’s update process is deeply flawed, says IOActive researcher Fernando Arnaboldi.

He recently discovered three separate flaws in it, the worst of which could be exploited by attackers to swap a legitimate update for the popular CMS or its modules with a backdoored one, leading to total installation (and site) compromise.

How can this happen, you ask? It’s very simple: Drupal security updates are transferred unencrypted and are not checked for authenticity.

“The update process downloads a plaintext version of an XML file at http://updates.drupal.org/release-history/drupal/7.x and checks to see if it is the latest version. This XML document can point to a backdoored version of Drupal,” Arnaboldi pointed out.

A similar attack can be performed when it comes to module updates.

“To exploit unencrypted updates, an attacker must be suitably positioned to eavesdrop on the victim’s network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection, such as public WiFi, or a corporate or home network that is shared with a compromised computer,” he explained.

The other two flaws are as follows:

1) When the Drupal update process fails, e.g. due to connectivity issues, Drupal will not tell the user that there has been a problem and the update has not been installed. Instead, it will do the complete opposite, and give the user a false sense of security:

Drupal message

2) Users can also use a link that says “Check Manually” if they want to check for updates themselves (as seen in the image above). Thanks to a vulnerability in this functionality, attackers could perform a CSRF attack to force the admin to check for updates whenever they decide (i.e. when they are ready to server the aforementioned backdoored version of the update).

According to Arnaboldi, this vulnerability could also be used as a server-side request forgery (SSRF) attack against drupal.org. “Administrators may unwillingly be forcing their servers to request unlimited amounts of information from updates.drupal.org to consume network bandwidth,” he noted.

All except this last bug affect the two latest Drupal versions (7 and 8), and it’s up to the developers to fix them. In the meantime, users can partially mitigate the first two issues by manually downloading and installing updates for Drupal and add-ons.