Drupal moves to fix flaws in update process

After IOActive researcher Fernando Arnaboldi publicly revealed three crucial vulnerabilities in Drupal’s update process last Thursday, the Drupal Security Team published a response on the Drupal Groups page.

Apparently, they were aware of all of these bugs – judging by this list of open issues, one of these was known for more than three years – and are now finally moving to fix them.

They were also contacted by Arnaboldi about the bugs, and they gave their blessing to him to publish the details as they consider their impact “small enough that the reported problems could be fixed in public.”

The Team does not consider the lack of warning of a failed Drupal update process to be that important, especially because this bug affects only to one page of the Drupal administrative interface.

“All other pages in the admin interface warn about failures correctly. Also, the Drupal Security Team publishes advisories in many ways (html, email, rss, Twitter, and this update mechanism), precisely because modern security awareness requires that administrators rely on multiple mechanisms,” they explained.

The issue of cross site request forgery (CSRF) vulnerability that could allow attackers to control the time that an update is triggered and to use a large amount of resources from Drupal.org is also not that dangerous, they believe.

The major issue in this group is that Drupal security updates are transferred unencrypted and are not checked for authenticity, allowing attackers that have control of the network and can intercept communications between the users’ site and Drupal.org’s servers to feed compromised updates to users.

“In the past few days we have been working to switch infrastructure and update processes to use secure channels,” they shared. So, downloading via drush (v.7 or higher) and via download links on project pages has been secured by adding SSL support.

“We have switched the most common download methods to use https by default and are working to add SSL to anonymous downloads via version control (git). The next step is to release an updated Drupal core,” they explained.

They also pointed out that the checksums for checking the authenticity of updates can be located by clicking on “view all releases” from a project page.