CVE-2024-55638 - Deserialization of Untrusted Data Vulnerability in Drupal Core Allows Object Injection, Leading to Potential Remote Code Execution

A critical vulnerability (CVE-2024-55638) has been discovered in the Drupal Core, affecting versions from 7. before 7.102, from 8.. before 10.2.11, and from 10.3. before 10.3.9. The vulnerability lies in the deserialization of untrusted data, allowing for object injection, and may potentially lead to remote code execution. This vulnerability is due to a gadget chain within the Drupal Core, posing a potential risk if an insecure deserialization exploit is found on a drupal powered web application.

Background

Insecure deserialization occurs when an application deserializes untrusted data, which can lead to security issues such as code execution, SQL injection, or arbitrary file manipulation. Deserialization of untrusted data typically occurs when user-supplied inputs containing serialized data are improperly processed by the application.

Exploit Details

The vulnerability exists in Drupal Core's handling of serialized data, specifically in the chain of methods leading to remote code execution if the application deserializes the untrusted data. An attacker, who has the ability to provide serialized data, can leverage this exploit to potentially execute arbitrary code through a series of chained gadgets.

Here's a code snippet illustrating the potential gadget chain within Drupal Core

class SomeGadget {
  public function __destruct() {
    // Destructor code to trigger other gadgets or execute code 
  }
}

class Exploit {
  public function someMethod() {
    $data = unserialize($_GET['input']); // Input from an attacker
    $gadget = new SomeGadget(); // Instantiate a gadget
    $gadget->someData = $data; // Store deserialized data into a property
  }
}

In this example, the attacker provides the serialized data through the URL, and the Drupal Core deserializes and assigns it to the 'someData' property of the 'SomeGadget' class. The destructor code runs when the script ends, potentially leading to the execution of malicious code via other gadgets or methods.

Original References

1. Drupal Core Advisory: https://www.drupal.org/sa-core-yyyy-nnnn
2. Further details on Insecure Deserialization: https://owasp.org/www-community/vulnerabilities/Insecure_Deserialization

Mitigation

To mitigate this vulnerability, Drupal has released security updates for the affected versions. It is recommended that users upgrade their Drupal core installations to the latest patched versions to address the vulnerability:

For Drupal 10.3.x users, upgrade to Drupal 10.3.10 or later.

In addition, developers should always avoid deserializing untrusted data or implementing potentially dangerous functionality within destructors and other methods that can be chained together to form a malicious gadget chain.

Conclusion

CVE-2024-55638 constitutes a serious vulnerability in Drupal Core, affected versions from 7. before 7.102, from 8.. before 10.2.11, and from 10.3. before 10.3.9. Given the prevalence of Drupal powered web applications, immediate action is recommended to upgrade the Drupal Core installations to the latest patched versions addressing the vulnerability. This will help prevent potential remote code execution through deserialization of untrusted data and object injection exploits.

Timeline

Published on: 12/10/2024 00:15:22 UTC
Last modified on: 12/16/2024 18:15:11 UTC