AES – Critical – Unsupported – SA-CONTRIB-2017-027

  • Advisory ID: DRUPAL-SA-CONTRIB-2017-027
  • Project: AES encryption (third-party module)
  • Version: 7.x, 8.x
  • Date: 2017-March-01

Description

This module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm.

The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be possible. The maintainer has opted not to fix these weaknesses. See solution section for details on how to migrate to a supported and more secure AES encryption module.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • All versions of the AES module

Drupal core is not affected. If you do not use the contributed AES encryption module, there is nothing you need to do.

Solution

If you’re using the AES only because Drupal Remote Dashboard (DRD) and Drupal Remote Dashboard Server (DRD Server) depend on it, then update to the latest versions of DRD or DRD Server and disable the AES module — those modules no longer depend on it.

In all other situations, you can replace the AES module with the Real AES module:

  • If you don’t have a recent backup, make a backup of your site’s database and codebase. Consider taking your site offline (e.g. using Drupal’s maintenance mode) as some features may not work properly during this upgrade process.
  • Do NOT follow the normal uninstall process for the AES module. The uninstall process would delete your encryption key and make it impossible to recover your data! Instead, disable the module and delete the AES module directory without uninstalling the module.
  • Download and extract the latest release of Real AES
  • Download and extract the latest release of Key
  • Enable the Real AES, Key and AES compatibility modules
  • Use the Key module to create a new 128-bit encryption key with the name “Real AES Key”.
  • Clear all your Drupal caches.
  • Modules that depend on AES and store encrypted data will continue to function as normal. They should decrypt and re-encrypt any stored data. The Real AES module provides some functions from the AES module (like, aes_encrypt() and aes_decrypt()) which can decrypt using your old key, but will re-encrypt using the new key and more correct AES encryption.

More detailed instructions available on the AES project page

Also see the AES encryption project page.

Reported by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Leave a Reply