The file download facility doesn’t sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.

Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

This advisory is covered by Drupal Steward.

We would normally not apply for a release of this severity. However, in this case we have chosen to apply Drupal Steward security coverage to test our processes.

Drupal 7

All Drupal 7 sites on Windows web servers are vulnerable.
Drupal 7 sites on Linux web servers are vulnerable with certain file directory structures, or if a vulnerable contributed or custom file access module is installed.

Drupal 9 and 10

Drupal 9 and 10 sites are only vulnerable if certain contributed or custom file access modules are installed.

Solution:

Install the latest version:

If you are using Drupal 10.0, update to Drupal 10.0.8.
If you are using Drupal 9.5, update to Drupal 9.5.8.
If you are using Drupal 9.4, update to Drupal 9.4.14.
If you are using Drupal 7, update to Drupal 7.96.

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By:

Heine of the Drupal Security Team
Conrad Lara
Guy Elsmore-Paddock

Fixed By:

Michael Hess of the Drupal Security Team
Heine of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
David Rothstein of the Drupal Security Team
xjm of the Drupal Security Team
Wim Leers
Damien McKenna of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Conrad Lara
Peter Wolanin of the Drupal Security Team
Drew Webber of the Drupal Security Team
Benji Fisher of the Drupal Security Team
Juraj Nemec, provisional member of the Drupal Security Team
Jen Lampton, provisional member of the Drupal Security Team
Dave Long of the Drupal Security Team
Kim Pepper
Alex Pott of the Drupal Security Team
Neil Drumm of the Drupal Security Team

Advisories

USN-6032-1: Linux kernel (OEM) vulnerabilities

April 19, 2023

Read Time:1 Minute, 30 Second

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)

Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)

It was discovered that a memory leak existed in the SCTP protocol
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2023-1074)

It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)

It was discovered that the file system writeback functionality in the Linux
kernel contained a user-after-free vulnerability. A local attacker could
possibly use this to cause a denial of service (system crash) or execute
arbitrary code. (CVE-2023-26605)

It was discovered that the NTFS file system implementation in the Linux
kernel did not properly validate attributes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2023-26607)

Duoming Zhou discovered that a race condition existed in the infrared
receiver/transceiver driver in the Linux kernel, leading to a use-after-
free vulnerability. A privileged attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2023-1118)

News

Iranian Nation-State Actor “Mint Sandstorm” Weaponizes N-day Flaws

April 19, 2023

Read Time:5 Second

Since 2023, Microsoft observed a decrease in the time required for the group to adopt public POCs

Advisories

USN-6031-1: Linux kernel (OEM) vulnerabilities

April 19, 2023

Read Time:2 Minute, 9 Second

It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel contained a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1281)

It was discovered that the Integrity Measurement Architecture (IMA)
implementation in the Linux kernel did not properly enforce policy in
certain conditions. A privileged attacker could use this to bypass Kernel
lockdown restrictions. (CVE-2022-21505)

It was discovered that the infrared transceiver USB driver did not properly
handle USB control messages. A local attacker with physical access could
plug in a specially crafted USB device to cause a denial of service (memory
exhaustion). (CVE-2022-3903)

It was discovered that a race condition existed in the SMSC UFX USB driver
implementation in the Linux kernel, leading to a use-after-free
vulnerability. A physically proximate attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41849)

It was discovered that a memory leak existed in the SCTP protocol
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2023-1074)

Mingi Cho discovered that the netfilter subsystem in the Linux kernel did
not properly initialize a data structure, leading to a null pointer
dereference vulnerability. An attacker could use this to cause a denial of
service (system crash). (CVE-2023-1095)