Drupal released a security advisory on January 20th to address a critical vulnerability within a third-party library. This library comes from PHP’s PEAR, which describes itself as “a framework and distribution system for reusable PHP components.” Drupal’s advisory states that the project uses Archive_Tar from the PEAR framework to process .tar, .tar.gz, .bz2 and .tlz archive uploads. The Drupal vulnerability is tracked as CVE-2020-36193 and could allow for directory traversal when extracting files due to improper checking of symbolic links. A specially crafted archive could then have its content extracted outside of the intended directory, potentially then serving malicious content on the website. CVE-2020-36193 is related to CVE-2020-28948 which affects versions of Archive_Tar up to and including version 1.14.10.
Analyst Notes
As noted by Bleeping Computer, successfully taking advantage of this vulnerability requires access to an account with basic permissions and for the server to be using an uncommon module configuration. Even if uncommon, Binary Defense still recommends organizations with Drupal deployments follow the security advisory to update to the latest version available. If that is not possible, the advisory has a table of affected versions and the minor version patch which addresses the vulnerability without performing a larger update. Aside from Drupal 7 which appears to be a long-term support (LTS) release, all versions of Drupal prior to 8.9 are at end-of-life and should be updated as soon as possible as well. Organizations that cannot patch should disable uploads for the .tar, .tar.gz, .bz2, and .tlz file types as a short-term mitigation.
Source: https://www.bleepingcomputer.com/news/security/drupal-releases-fix-for-critical-vulnerability-with-known-exploits/
https://www.drupal.org/sa-core-2021-001
