Security Kit - Less critical - Denial of Service - SA-CONTRIB-2024-039

Vulnerability

The vulnerability is a type confusion issue in the Drupal Security Kit module, specifically in the handling of Content Security Policy (CSP) violation reports. The module fails to sufficiently validate input in these reports, causing errors when a logging module (e.g., dblog or syslog) attempts to parse the resulting log message containing invalid data. Affected versions include all releases before 2.0.3 for the 2.0.x branch and before 7.x-1.13 for the 7.x-1.x branch. The vulnerability is only reachable if the site has seckit's CSP reporting functionality enabled [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted CSP violation report to a Drupal site that has the Security Kit module installed with CSP reporting enabled. No authentication is required. The attacker sends a specially crafted HTTP request containing a malformed CSP violation report; when the module processes it, the logging module encounters invalid data, leading to errors that can cause a denial of service. The exact sequence involves the attacker sending the malicious report, which is logged, and the logging module fails to parse it, potentially exhausting resources or crashing the site [1].

Impact

Successful exploitation results in a denial of service (DoS) via HTTP, affecting the availability of the Drupal site. Confidentiality and integrity are not compromised. The Drupal Security Team rates this as "Less critical." The attacker can cause the site to become unresponsive or crash due to errors in log processing [1].

Mitigation

The fix is available in Security Kit version 2.0.3 for the 2.0.x branch and version 7.x-1.13 for the 7.x-1.x branch. Users should upgrade immediately. If upgrading is not possible, disabling CSP reporting functionality in the module's configuration can serve as a workaround. Note that recent versions of Drupal 10 and 11 core are not vulnerable due to improved parsing of log messages [1].