I see this patch:
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58010
is listed by this blog ( http://netanelrub.in/2017/03/20/moodle-remote-code-execution/ ) , that goes into great detail regarding a vulnerability that looks like it affects all Moodle versions.
Is this patch only in the upcoming 3.3? Or can it be applied to older versions of Moodle?
The patch has already been released in the latest versions listed here - https://moodle.org/mod/forum/discuss.php?d=349419#p1409805.
I haven't digested the posted article completely as yet, but Marina's advisory states on 3.1, it is only exploitable by admin/manager and via the API. More specific details around this would be appreciated.
Is there no mitigation we can apply until we are able to patch?
The patch for this issue is included in the last minor release, as Mike said. Netanel was kind enough not to disclose the exploit scenario until the public announcement, which was done yesterday, a week after the release (as usual).
Very simple search by the issue number in github returns:
Commit in master branch: https://github.com/moodle/moodle/commit/6e65554ea19f4e90c09864081e47424f8efca02e
Commit in 3.2 branch: https://github.com/moodle/moodle/commit/ca3cbbc2334840f94f5e9622699666c10835241d
Commit in 3.1 branch: https://github.com/moodle/moodle/commit/36706f5b983a057f156f87b3de104569b82ddf03
Commit in 3.0 branch: https://github.com/moodle/moodle/commit/0833e7cfc75c88808257d33d1cd5eb3518150eb0
Commit in 2.7 branch: https://github.com/moodle/moodle/commit/b34eca2f9eb10c3d8519c9068fe40863de3f3bf1
As you can see, in 2.7, 3.0 and 3.1 only two web services are affected. They check capabilities 'moodle/user:create' or 'moodle/user:update' that are normally given to managers or users who manage other users in the system. Hopefully they are trusted users. Besides, these two web services are neither accessible by AJAX nor part of Mobile and therefore are not enabled by default. Impact of this security issue on these versions is not very big but it still exists.
For Moodle 3.2 this is a very serious security vulnerability and everybody must upgrade as soon as possible. There is also another serious issue in the same release.
I want to remind everybody that Moodle follows fixed release schedule and security issues are fixed in minor releases that come out on second Monday of January, March, May, July, September and November (odd months). Even if we delay the major releases (second Monday of May and November), the minors still come out on scheduled dates. This allows our users to plan upgrades in advance and maintain their installations secure.
Hi,
we're currently running Moodle 2.8.5+ and are in the process of upgrading to Moodle 3.2. We're dealing with custom Moodle code during the upgrade. So we can't just go and just patch our systems.
The commits above are for the 2.7 and 3.0 branches of Moodle. We are currently comparing the two commits and are trying to extract the necessary code changes to make in our Moodle 2.8.5 installation.
We hope that is the right way to go about doing this. Any pointers?
commits for 2.7 are 3.0 are very similar, you can try to cherry-pick either of them. You don't need changes to the unittests if you just apply the patch so it can save some time merging
many thanks dear Marina ,
for moodle 3.1.1 is that enough to apply this 6 chaned file from https://github.com/moodle/moodle/commit/36706f5b983a057f156f87b3de104569b82ddf03 for security or shall i do some thing extra?
many thanks
The severity of this security issue on 3.1 is not very big as I described above. If web services are not enabled on your site it does not affect you at all. I would worry more about MSA-17-0009 from the last release that allows to execute XSS for any registered user.
Why don't you just upgrade your 3.1.1 to 3.1.5 and pick ALL security fixes from https://moodle.org/security/ ?
Hi MArina,
Thank you for the details. I have Moodle version 2.9 installed, can I use the same patch as of version 2.7? could you please advise?
Thanks in advance!
Regards,
Pooja
As you can see, in 2.7, 3.0 and 3.1 only two web services are affected. They check capabilities 'moodle/user:create' or 'moodle/user:update' that are normally given to managers or users who manage other users in the system. Hopefully they are trusted users. Besides, these two web services are neither accessible by AJAX nor part of Mobile and therefore are not enabled by default. Impact of this security issue on these versions is not very big but it still exists.
One more quick follow-up... Would disabling web services mitigate this risk on all versions, or just 3.2.
The severity of this security issue on 3.1 is not very big as I described above. If web services are not enabled on your site it does not affect you at all. I would worry more about MSA-17-0009 from the last release that allows to execute XSS for any registered user.
On 3.2, this is an issue in the UI. Disabling web services will not help on 3.2.
Disabling web services will mitigate the risk below 3.2.
mike
Hi Mike,
Thanks for the quick turnaround. I should have chosen my words more carefully. When you say "mitigate", do you mean that it reduces the risk on versions below 3.2 or that it eliminates the risk on versions below 3.2?
Thanks again
"My understanding" is that below 3.2, the risk is only through web services, and only by privileged users. Turning off the services for those versions should eliminate the risk.
Version 3.2 - disabling web services will NOT fix the problem. You must apply the patch. As a temporary workaround remove capability 'moodle/user:editownmessageprofile' from authenticated user role but this will also disable them from editing their messaging preferences so this can not be used as a long-term solution.
Version 3.1 and earlier - either patch your code like I recommended above or disable web services or do nothing - check who of your users have capabilities to create or update other users and make sure you trust that they won't break your server. I'm sure you don't issue these capabilities to random people anyway.
I have also commented on other forum discussion about security issues with evidence of prior learning on 3.1 and 3.2
Is commenting out these two lines a viable mitigation strategy for Moodle 2.5 and 1.9? Doubt a security patch will come out, so disabling the ability to update user prefs seems valid strategy if thats what this done.
Thank you
Yes, 2.5 is no longer supported even for security fixes so you have to patch it yourself.
Sorry, I do not know if these vulnerabilities are even present on 1.9 nor how to fix them.
https://gist.github.com/nadavkav/de1adae835eb7310b339eff642a1cc41
You can use it as follows:
./get-security-patch-for-moodle.sh MOODLE_31_STABLE MDL-57596 --dry-run
And if it looks Ok, just drop the "--dry-run"
Hope it helps
Btw, I think we should have some kind of Moodle core report of relevant security fixes for the current running version, and have it available for the administrator to download and apply them, similar to the way we upgrade plugins. as I hardly see anyone upgrade their entire system, which in my neighborhood... are highly customized and not easily upgradeable. (well, it is not a simple "git rebase" at least)
