fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Drupal Releases Fix For Critical Vulnerability With Known Exploits

Drupal Releases Fix For Critical Vulnerability With Known Exploits

Drupal has released a security update to address a critical vulnerability in a third-party library with documented or deployed exploits available in the wild.

“The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal,” the Drupal security team said.

Drupal is used by roughly 2.4% of all sites with content management systems, which makes it the Internet’s fifth most popular CMS, after WordPress (64.1%), Shopify (5.2%), Joomla (3.5%), and Squarespace (2.5%).

Also Read: Limiting Location Data Exposure: 8 Best Practices

Security updates for all affected versions

According to Drupal’s security advisory, the vulnerability is caused by a bug in the PEAR Archive_Tar library used by the CMS tracked as CVE-2020-36193.

The bug causes out-of-path extraction vulnerabilities via “write operations with Directory Traversal due to inadequate checking of symbolic links.”

Successful exploitation requires access to user accounts with basic permissions on servers with uncommon module configurations.

Exploiting the Drupal vulnerability is only possible if the CMS is configured to allow and process .tar, .tar.gz, .bz2, or .tlz file uploads.

Following exploitation, attackers can modify or delete all data and can also gain access to all non-public data available on the compromised server.

Drupal recommends installing the following updates on affected servers:

“Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage,” Drupal’s security team added.

This vulnerability is related to another critical security flaw with known exploits caused by the CVE-2020-28948 bug in the PEAR Archive_Tar library that could allow for arbitrary PHP code execution on some CMS versions.

Drupal issued an out-of-band emergency security update to fix it in November allowing admins to quickly patch their servers to defend them against potential attacks.

Mitigation available

Mitigation measures are available for admins who cannot immediately deploy the security update on their Drupal servers.

To do that, they are advised to disable uploads of .tar, .tar.gz, .bz2, or .tlz files to temporarily mitigate the issue.

DHS-CISA has also issued an alert on Thursday urging admins and users to upgrade Drupal to block attackers from taking over unpatched servers.

Drupal patched another critical remote code execution vulnerability tracked as CVE-2020-13671 and allowing attackers to execute malicious code on vulnerable servers due to improper filenames sanitization for uploaded files.

Also Read: 10 Practical Benefits of Managed IT Services

“Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions: phar, PHP, pl, py, cgi, asp, js, HTML, htm, and phtml” Drupal said at the time.

“This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis.”

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us