Indusface Total Application Security - Drupal Core Multiple Remote Code Execution Vulnerabilities: Drupalgeddon2 & Drupalgeddon3

What is Drupalgeddon2 and Drupalgeddon3?

On March 28th, Drupal released a security update (SA-CORE-2018-002) that fixes a critical remote code execution vulnerability (CVE-2018-7600) named Drupalgeddon2 and it was followed by one more security update (SA-CORE-2018-004) on 25th of April, fixing another critical remote code execution vulnerability (CVE-2018-7602) named as Drupalgeddon3.

These unauthenticated remote code execution vulnerabilities exists within multiple subsystems of Drupal 7.x and 8.x.

Drupalgeddon2: A remote user can send specially crafted data to trigger a flaw in the processing of “Renderable Arrays” in the Form API (used to represent the structure of most of the UI elements in Drupal, such as pages, blocks, nodes and more) and cause the target system to render the user-supplied data and execute arbitrary code on the target system and in turn allows complete take-over of affected websites.

Drupalgeddon3 also exists due to the improper input validation in Form API, also known as “Renderable Arrays”. As @_dreadlocked explains 

the flaw can be triggered through the “destination” GET parameter of a URL that loads when a registered user initiates a request to delete a node; where, a “node” is any piece of individual content, such as a page, article, forum topic, or a post. Successful attack could also allow remote attackers to execute arbitrary code and take over vulnerable websites completely.

CVE Details

What are the risks?

Vendor has confirmed that both of these vulnerabilities are being exploited in the wild. As the exploitation does not require user interaction makes is easy to exploit. Successful exploitation allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations under the privileges of the user, affecting sites running Drupal versions 8, 7, and 6 (note that Drupal 6 is no longer supported).

According to an FAQ post written by the Drupal security team, over one million sites are affected by Drupalgeddon2. China-based Netlab 360 recently observed a large number of scans on the internet against CVE-2018-7600.

Security researchers noted that attackers developed automated exploits leveraging Drupalgeddon2 vulnerability to inject cryptocurrency miners, backdoors, and other malware into websites, within few hours after it's details and POCs went to public.

Release of POC for new Drupal Flaw, CVE-2018-7602 puts affected sites under attack once again.

Severity: Critical

CVSSv2:  Base Score 10  

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSSv3:  Base Score 9.8 

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Do I need to worry about it?

Vendor security patches have been released and all Drupal website administrators are highly recommended to update their websites to the latest versions of the software as soon as possible.

Mitigation:

  • Upgrade to the most recent version of Drupal 7 or 8 core.
  • If you are running 7.x, upgrade to Drupal 7.59.
  • If you are running 8.5.x, upgrade to Drupal 8.5.3.
  • If you are running 8.4.x, upgrade to Drupal 8.4.8.
  • If you are running 8.4.x, upgrade to Drupal 8.3.9.

Drupal issued an update for versions 8.3x and 8.4x which are no longer supported, which indicates the severity of the vulnerability. Note that it should also be noted that the new patches will only work if your site has already applied patches for Drupalgeddon2 flaw.

  • Generic guide for fixing a compromised site
  • Temporarily replace your Drupal site with a static HTML page is an effective mitigation.
  • For staging or development sites you could disable the site or turn on a "Basic Auth" password to prevent access to the site.

Indusface Web Application Scanning (WAS) performs scans on the server and it can identify this vulnerability by detecting vulnerable version of Drupal installations.

Indusface Total Application Security (TAS) platform protects against web application layer vulnerabilities being exploited by external traffic and will be able to protect this vulnerability by customized rules.