There is an access bypass vulnerability in Drupal when issuing PATCH requests. The vulnerability is located in SQLContentEntityInterface.php. Using this attack vector, an attacker can remove or edit content on the Drupal application to which they would not normally have permissions.
- The attacker creates a node on the system and sets the content as required. In this example, the node ID of this content is 25. The attacker notes a node ID which they can potentially view, but do not have edit or delete permissions on. View permission is not essential, as IDs can be brute forced.
- The attacker sends a crafted PATCH request to the REST API of the node which they just created, specifying the node ID of the node they wish to hijack. UUID must also be set to some unique value (avoid SQL duplicate entry exceptions). It is also necessary to set the vid to zero to allow a new revision to be created, again avoiding SQL duplicate entry exceptions.
- The attacker now has full control over node 24, deleting if they wish.
- The Drupal REST API must be enabled and allow PATCH requests.
- The attacker must have an account with an ability to post new content and edit their own content.
- The attacker must have access to the REST API of the Drupal server.
There is an access bypass vulnerability in Drupal when issuing PATCH requests. The vulnerability is located in SQLContentEntityInterface.php. There is no verification that the node id or UUID is not passed as part of the patch object or if its value equals the original object value. This vulnerability will allow an authenticated user to hijack another node on which they have no edit or delete permissions.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upon discovery of a successful exploit, customers are expected to take normal and reasonable action in accordance with their own standard operating procedures, such as:
- Limit account access with permissions to create and edit their own content to trusted users, even limited accounts.
- Patch to 8.2.8+ or 8.3.1+.