Archives for August 2014

Drupal and WordPress Denial of Service

Drupal and WordPress frameworks are vulnerable to a denial of service condition within the XML-RPC service.

Details of the issue can be found here on the official sites for Drupal and WordPress. Basically the attack works by sending an XML-RPC call to the remote site with an initially small XML document. This element of the document is then iterated multiple times, expanding the document to an even larger size.

How does this work? Well, a small initial file of 200 KB will expand to 2.5 GB on the remote server due to a vulnerability called an XML Quadratic Blowup Attack. Attempting to parse multiple requests leads to all resources being consumed. This results in the application and even possibly the whole system falling over.

Using a simple proof of concept script it was possible to kill an entire site and underlying operating system within a few moments:

 

“System running out of memory. Availability of the system is in risk.”

 

Unless you have previously disabled XML-RPC or have patched your Drupal and WordPress frameworks in the last few days you are currently exposed to this denial of service attack and we would recommend that you update to the latest version of your framework as soon as possible.

GCHQ certifies Master’s Degrees in Cyber Security

Our CEO, David Stubley, has been quoted in a recent Information Security Magazine article regarding the launch of the GCHQ programme to certify Cyber Security University Master’s Degrees:

“As a highly technical security consultancy we are acutely aware of the skills gap that exists between academia and the commercial sector,” he told Infosecurity.“GCHQ looking to address this can only be a positive step and one we hope will lead to providing graduates with the skills that will enable them to become valued security professionals.”
The full article can be found here, with the full announcement from GCHQ here.