On March 28, Drupal security team announced a highly critical unauthenticated remote code execution vulnerability in Drupal core. The vulnerability allows an attacker to leverage multiple attack vectors and take complete control of a website. The Drupal team estimates that, at the time of the announcement, over one million sites are affected – about 9% of Drupal sites. They also reported that, to their knowledge, it was not being actively exploited.
A highly critical security patch was released on March 29, and the message from the community was simple: Drop everything and patch now.
The new update fixes a remote code execution vulnerability that “potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.”
All it takes is for an anonymous user to visit a targeted page and they can see, modify and delete private data. No attacks have been detected yet, but the Drupal team and experts believe they will commence in short order.
Given the severity of the issue, the Drupal team has provided updates to older versions of the software it had stopped supporting.
The vulnerability was discovered by Jasper Mattsson, an employee of Drupal security auditing firm Druid.
The bug is being called Drupalgeddon2.
The security flaw is indeed a severe one, with the Drupal team assigning it a severity score of 21 (on a scale of 1 to 25).
Drupal affected by unauthenticated RCE flaw
The bug —tracked under the CVE-2018-7600 identifier— allows an attacker to run any code he desires against the CMS’ core component, effectively taking over the site.
The attacker doesn’t need to be registered or authenticated on the targeted site, and all the attacker must do is to access an URL.
The Drupal community has already nicknamed this bug as Drupalgeddon2 after the Drupalgeddon security bug (CVE-2014-3704, SQL injection, severity 25/25) disclosed in 2014 that led to numerous Drupal sites getting hacked for years afterward.
No PoC available. No attacks detected (yet).
There is no public proof-of-concept or exploit code currently available online, but researchers have already started digging through the Drupal patches to determine what was patched.
The Drupal team says it was not aware of any attacks exploiting the flaw when they published their security alert, but everyone from the official Drupal team to independent security researchers expect this vulnerability to enter active exploitation within hours or days.
EOLed Drupal 6 also affected
Besides fixes for Drupal’s two main branches —7.x and 8.x— the Drupal team announced patches for the ancient 6.x branch that was discontinued in February 2016.
Web firewall products are expected to receive updates in the following days to handle exploitation attempts.
Patching should not be ignored. Even the main Drupal homepage was taken down today for half an hour to apply the Drupalgeddon2 patch.
We recommend patching first, but if this isn’t possible applying mitigation solutions such as temporarily replacing a Drupal site with a static HTML page, so the vulnerable Drupal site would not serve the vulnerable URLs to visitors.
In addition, staging and in-dev Drupal installations should be updated or taken down completely until the patch can be applied.
Please contact us if you need further details or assistance with securing your Drupal site.