Two dangerous vulnerabilities associated with the use of the third-party library PEAR Archive_Tar have been patched in the Drupal CMS system. Its developers have already released an update, now the corresponding changes have been made to the Drupal core.
The named library is for processing archive tar files in PHP. Both new vulnerabilities (CVE-2020-28948 and CVE-2020-28949) allow to bypass the protection of Archive_Tar against attacks that use the ability to deserialize metadata from Phar files (PHP Archive).
Exploitation in this case is carried out through manipulation of file names and threatens the execution of malicious PHP code or overwriting of important files such as / passwd and / shadow.
The Drupal team recognized both bugs as critical, rating them 18 out of 25 on the scale recommended by NIST (American Institute of Standards and Technology). At the same time, it was noted that the use of new holes in the CMS is possible only with the settings that allow downloading files such as .tar, .tar.gz, .bz2 or .tlz.
Vulnerabilities have been confirmed for Drupal versions 7 and 9, as well as branches 8.8 and 8.9. Since the PoC exploit has already been published , patches for the CMS have been released urgently. Drupal users are advised to upgrade to build 7.75, 9.0.9, 8.8.12 or 8.9.10 as soon as possible. If this is not possible, for now it is worth prohibiting downloading files of the specified formats from untrusted sources.