The open-source Drupal content-management system (CMS) is talking steps to help protect against multiple potential risks that have been publicly revealed. On Jan. 6, security research vendor IOactive first disclosed the issues, which are focused on the Drupal update process. The Drupal project’s security team is aware of the concerns and is fixing all the issues, though it is also downplaying the overall risk.
The White House and the U.S. Federal Communications Commission (FCC), among other notable organizations use the popular CMS.
Greg Knaddison, Drupal Security Team member and director of engineering at CARD.com, explained that Drupal worked with IOactive security researcher Fernando Arnaboldi in a coordinated effort that follows the publicly posted Drupal disclosure process. Arnaboldi first notified Drupal of the issues in November, and there was a mutual agreement on a public disclosure date, Knaddison said.
“We do have a closed system, which is where we discussed the issues prior to making them public,” Knaddison explained to eWEEK. “The closed system is totally separate from the public system so the public versions of the issues are created manually and get new time stamps on them when they are created.”
At the heart of Arnaboldi’s research into Drupal insecurity is the fact that the CMS was not always securely accessing updates. Drupal updates were insecure partly because the system did not default to an HTTPS secured and encrypted address for downloads. Not defaulting to an HTTPS address raised the risk for a man-in-the-middle attack, whereby an attacker could intercept the data stream and potentially inject arbitrary code. The Drupal project has now fixed that particular issue for access to the ftp.drupal.org and updates.drupal.org Websites through the use of HSTS (HTTP Strict Transport Security). With HSTS, a server is only available over an HTTPS secured connection and cannot be reached over an unencrypted HTTP connection.
Drupal is also using Perfect Forward Secrecy with its Secure Sockets Layer/Transport Layer Security (SSL/TLS) implementation, which provides ephemeral keys on a per-session basis. Drupal is also not using the RC4 stream cipher, which has been shown to be cryptographically insecure, Knaddison explained.
The Drupal fix for improving download security overall is a multi-layered initiative, he said. “It’s true that the update manager was at risk, but actually most of the ways we distributed code were not leveraging SSL/TLS or file checksums,” Knaddison explained. “We’ve taken a lot of steps in a very short time to switch to making HTTPS the default.”
The reason Drupal was not using HTTPS as the default before has to do with a legacy cost issue. Historically, Drupal hadn’t made extensive use of SSL/TLS because of the increased cost of SSL/TLS infrastructure, he said. That said, a recent partnership with Fastly is helping Drupal handle that SSL/TLS traffic without load on Drupal’s servers.
Arnaboldi also reported a cross-site request forgery (CSRF) vulnerability that could have enabled an attacker to potentially trigger an unintended update.
“The cross-site request forgery vulnerability allows an attacker to achieve two goals: to control the time that an update is triggered, which may provide value if they are able to sniff traffic or poison DNS [Domain Name System] for a brief period,” Drupal’s advisory warned.
The second thing the CSRF could have done is to consume a large amount of resources from drupal.org. Drupal developers are currently working on patching the CSRF issue. Knaddison emphasized that the Drupal Security Team was already working on private and public issues for everything that Arnaboldi found, except for the CSRF issue.
Overall, while Drupal is working to harden the update system to limit risks, the prevailing view from the project was that the risks in the issues reported by Arnaboldi were not large.
“I would say that the Security Team, and since the issues were public it’s really the whole project, all looked at the risks and decided that this issue [CSRF], while valid, wasn’t as important as a bunch of other things,” Knaddison said. “I will be amazed if a single site is attacked using the vulnerabilities identified by Arnaboldi.”
In addition, security improvement also include the integration of a two-factor authentication system for drupal.org. Additionally, Drupal now has a modern, entropy-based password strength tester. Drupal 8, released in November 2015, benefited from a long list of security improvements, as well.
“I could go on with probably a dozen other interesting things for security that we’ve worked on that provide tangible improvements to everyday security problems,” Knaddison said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.