This report was fully disclosed on 21 January 2020

Summary

chenmed.com appears to be running an outdated build of Drupal. The build running at the time of this report appears to be 8.6.10. Additionally the chenmedicalcenters.com, dedicated.care, and jencaremed.com sites all appear to be running the same outdated version of Drupal.

As Drupal version 8.6.10 was released several months ago, there are 5 security advisories that affect it. 4 of these advisories are marked as “Moderately critical” with 1 being marked as “Critical”.

Proof of Concept

Although no attempt to exploit any of the applicable vulnerabilities was made, the following details the process of identifying which build is likely to be running.

We can determine that the current build of chenmed.com is 8.6.10 as line 657 of index.html shows /core/misc/drupal.js?v=8.6.10

Remediation Status

At the time of publishing this report the reported issue has been resolved.

Response From Affected Party

Response From edw[email protected] 20 September 2019

Good Morning GlitchWitch, Hope all is well with you. Thank you for reaching out and providing information regarding our websites. Still being relatively new to ChenMed, I am reviewing all aspects of the company’s information security. Regarding your findings, our web team provided the following response…


The Critical vulnerability only affects version 8.7.4, no versions below or above it. The moderately critical ones either require admin rights to exploit, are related to only certain modules/themes or are provided only as a precaution.

I’ve been keeping an eye at the vulnerabilities list and making sure they aren’t likely to cause any issues. Nonetheless, I understand that there’s a need to update the core and dependencies of our applications. Considering this, I asked our Drupal installations team to update the core Drupal applications, which was completed today. I will be scheduling a release with the updates for 9/24.


Once I perform further investigation, there may be opportunities to engage your skills. Let’s stay in touch.

Thank you again,

Timeline

  • 4 September 2019: Affected Party Notified
  • 20 September 2019: Affected Party Responded (+16 days)
  • 24 September 2019: Affected Party Released Patch (+20 days)
  • 21 January 2020: Report Published (+139 days)