The developers of the Drupal content management system (CMS) released out-of-band security updates right before Thanksgiving due to the availability of exploits.
The core updates released for Drupal 7, 8.8, 8.9 and 9.0 on November 25 address a couple of vulnerabilities affecting PEAR Archive_Tar, a third-party library designed for handling .tar files in PHP.
The developers of the library released an update recently to address two vulnerabilities, tracked as CVE-2020-28948 and CVE-2020-28949, that can be exploited to bypass Phar unresialization protections.
Exploitation involves manipulating file names and it can allow an attacker to execute arbitrary PHP code or overwrite files, including important files such as /etc/passwd and /etc/shadow.
The researcher who reported the vulnerabilities to PEAR developers also made public proof-of-concept (PoC) exploits so Drupal decided to roll out the patches to its users as soon as possible.
“According to the regular security release window schedule, November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable,” Drupal noted in its advisory.
Drupal developers pointed out that exploitation is possible if the CMS is configured to allow uploading .tar, .tar.gz, .bz2 or .tlz files. Similar vulnerabilities related to the same PEAR library were patched one year ago, but Drupal noted that they are not related, although the same types of configuration changes can mitigate the issue. The recommended mitigation involves preventing untrusted users from uploading files with the aforementioned extensions.
The latest updates have been assigned a “critical” severity rating, but it’s worth mentioning that Drupal uses the NIST Common Misuse Scoring System, which assigns vulnerabilities a score ranging between 0 and 25, with “critical” being only the second highest rating, after “highly critical.”
This is the sixth security update released this year for Drupal. The fifth was released earlier this month to patch a remote code execution vulnerability related to failure to properly sanitize the names of uploaded files.