Scapy-Sploit, Plugin Problems and the Year of Drupal

Written by

A Python network tool, Scapy, is vulnerable to denial-of-service (DoS) attacks, according research published by Imperva. The company also released its 2018 State of Web Application Vulnerabilities, which found that injections represented 19% of the total vulnerabilities in 2018, while plugins were the root cause of 98% of the vulnerabilities in WordPress.

In the latest version of Scapy, the algorithm used to determine the type of network packet relies on port numbers, but the packet type can easily be spoofed.

According to researchers, “The vulnerability occurs when Scapy is tricked into thinking a network packet is a RADIUS packet. The vulnerability is due to a lack of input validation when reading the length field in the RADIUS packet’s Attribute Value Pairs (AVP). This can cause an infinite loop in the following code section if a certain byte is set to zero.”

In addition to the vulnerability in this tool, web application vulnerabilities are trending upward and WordPress vulnerabilities have tripled* since 2017. Still, Drupal vulnerabilities were exploited en masse, targeting hundreds of thousands of sites throughout 2018.

There was, however, some good news in regard to other web app vulnerabilities. Last year saw a decline in both the number of the internet of things (IoT) and PHP vulnerabilities, as well as in vulnerabilities related to weak authentication. Still, API vulnerabilities did show some growth. In fact, 2018 saw a total of 264 API vulnerabilities, up 23% from the 214 reported in 2017.

“The overall number of new vulnerabilities in 2018 (17,142) increased by 21% compared to 2017 (14,082) and by 159% compared to 2016 (6,615). According to our data, more than half of web application vulnerabilities (54%) have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don’t have an available solution, such as a software upgrade workaround or software patch,” the report stated.

When looking at content management systems (CMSs), attackers spent much of their time targeting WordPress, which is used by 59% of all websites using a known CMS, according to the report. “Although Drupal is the third-most popular CMS, two of its vulnerabilities, CVE-2018-7600 and CVE-2018-7602, were the root cause of many security breaches in hundreds of thousands of web servers in 2018. These vulnerabilities allowed an unauthenticated attacker to remotely inject malicious code and run it on default or common Drupal installations.”

*UPDATE* The original report stated the number of WordPress vulnerabilities reported tripled in the last year, though the correct data point is the number of WordPress vulnerabilities reported increased by 30% in the last year. Below is an update provided by Imperva:

What happened?

The raw data that we had from our systems was correct. However, we discovered data transfer error  in the process of creating the charts that affected the 2017 numbers.

What did we do?

In addition to fixing the error, we double checked all the charts and the data in our report to make sure they are correct.

Imperva takes great pride in its work and is deeply apologetic that this error has occurred. We wanted to make you aware of this error in the initial report we sent through to you – in an effort to be transparent and accurate.

What’s hot on Infosecurity Magazine?