[IT-SecNots] [Security-news] AES - Critical - Unsupported - SA-CONTRIB-2017-027

[security-news AT drupal.org]

View online: https://www.drupal.org/node/2857028

  * Advisory ID: DRUPAL-SA-CONTRIB-2017-027
  * Project: AES encryption [1]     (third-party module)
  * Version: 7.x, 8.x
  * Date: 2017-March-01

-------- DESCRIPTION
---------------------------------------------------------

This module provides an API that allows other modules to encrypt and decrypt
data using the AES encryption algorithm.

The module does not follow requirements for encrypting data safely. An
attacker who gains access to data encrypted with this module could decrypt it
more easily than should be possible. The maintainer has opted not to fix
these weaknesses. See solution section for details on how to migrate to a
supported and more secure AES encryption module.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

  * /A CVE identifier [2] will be requested, and added upon issuance, in
    accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

  * All versions of the AES module

Drupal core is not affected. If you do not use the contributed AES encryption
[3] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

If you're using the AES only because Drupal Remote Dashboard (DRD) [4] and
Drupal Remote Dashboard Server (DRD Server) [5] depend on it, then update to
the latest versions of DRD or DRD Server and disable the AES module -- those
modules no longer depend on it.

In all other situations, you can replace the AES module with the Real AES [6]
module:

  * If you don't have a recent backup, make a backup of your site's database
    and codebase. Consider taking your site offline (e.g. using Drupal's
    maintenance mode) as some features may not work properly during this
    upgrade process.
  * *Do NOT follow the normal uninstall process for the AES module.* The
    uninstall process would delete your encryption key and make it impossible
    to recover your data!  Instead, disable the module and delete the AES
    module directory *without uninstalling the module.*
  * Download and extract the latest release of Real AES [7]
  * Download and extract the latest release of Key [8]
  * Enable the Real AES, Key and AES compatibility modules
  * Use the Key [9] module to create a new 128-bit encryption key with the
    name "Real AES Key".
  * Clear all your Drupal caches.
  * Modules that depend on AES and store encrypted data will continue to
    function as normal. They should decrypt and re-encrypt any stored data.
    The Real AES module provides some functions from the AES module (like,
    aes_encrypt() and aes_decrypt()) which can decrypt using your old key, 
but
    will re-encrypt using the new key and more correct AES encryption.

*More detailed instructions available on the AES project page [10]*

Also see the AES encryption [11] project page.

-------- REPORTED BY
---------------------------------------------------------

  * Heine Deelstra [12] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].

Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and  securing your site [16].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]


[1] https://www.drupal.org/project/aes
[2] http://cve.mitre.org/
[3] https://www.drupal.org/project/aes
[4] https://www.drupal.org/project/drd
[5] https://www.drupal.org/project/drd_server
[6] http://drupal.org/project/real_aes
[7] http://drupal.org/project/real_aes
[8] http://drupal.org/project/key
[9] http://drupal.org/project/key
[10] https://www.drupal.org/project/aes
[11] https://www.drupal.org/project/aes
[12] https://www.drupal.org/user/17943
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news