Drupal Core SA-CORE-2018-002 Remote Code Execution Vulnerability
The Drupal community woke up to a worrisome morning with the SA-CORE-2018-002 security advisory (CVE-2018-7600). The highly critical vulnerability mentions remote code execution vulnerability applicable to multiple Drupal core subsystems. The vulnerability resides in the Drupal core, which means all installations of Drupal, regardless of any installed plugin, are vulnerable. Drupal is reporting on over a million installs across the internet: https://www.drupal.org/project/usage/drupal Open-Source Investigation The security advisory does not mention full details regarding the vulnerability, nor have any publicly available exploits been spotted in the wild yet. However, due to the open-source nature of Drupal, security researchers are able to understand the context of the change using the git commit. The code change shows an alarmingly named library added to the code: request-sanitizer.inc. The main function in the library is called “stripDangerousValues”. This gives an obvious hint that there are user input sanitization issues with Drupal. This means that user input could end up unsafely evaluated in unprotected code execution methods – or in other words, arbitrary remote code execution.A deeper look at the code change shows a specific issue with Form API handling of attributes such as #type, #description and more. Therefore, an example exploit may look similar to the following: index.php?page['#payload']=home.php Source: https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714 ASM Mitigation ASM is able to detect this attack vector using the “SQL-INJ "' #" (SQL comment) (Parameter)” signature: Nonetheless, an ASU containing signatures specific for this vulnerability has been released and ready for download. The relevant signature IDs are: 200004423, 200004424, 200004440, 200004441, 200004442, 200004443, 200004444.
Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271)
In October 2017 Oracle have published a vulnerability concerning Oracle WebLogic and assigned CVE-2017-10271 to it. Since then no public information regarding this vulnerability was availableuntil a few days ago, when an analysis of the vulnerability and a Proof-of-Concept exploit were published. The vulnerability stems from an unsafe XML deserialization using Java XMLDecoder in the CoordinatorPortType web service, which is part of the WLS Security component of WebLogic. Attackers may send a crafted XML document to the aforementioned web service which will cause WebLogic to deserialize it and consequently allow an attacker to construct arbitraryJava objects and invoke their methods resulting inremote code execution. Figure 1: Part of the request exploiting the vulnerability. Mitigating the vulnerability with BIG-IP ASM BIG-IP ASM customers under any supported BIG-IP version are already protected against this 0-day vulnerability, as the exploitation attempt will be detected by an existing Javacode injection attack signature (200004174) which can be found in signature sets that include “Server Side Code Injection” attack type or “Java Servlets/JSP” System. Figure 2: Exploitation attempt blocked by signature id 200004174. We will be also releasing a dedicated signature in the upcoming ASM Security Update.
