Drupal Core Remote Code Execution

Drupal Core Remote Code Execution


Overview

A vulnerability has been discovered within multiple subsystems of Drupal 7.x and 8.x. Drupal is a free and open source content management framework. Successful exploitation of this vulnerability could allow for remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights leading to a complete compromise of the site.

Threat Intelligence

The Masergy Threat Intelligence Team is not aware of any exploitation of this vulnerability being reported. Because the vulnerability can be exploited without authentication and allows remote code execution, it is highly likely that threat actors will develop and utilize exploits targeting this vulnerability.

Technical Summary

This is a remote code execution vulnerability that effects multiple subsystems within Drupal leading to a complete site compromise. The vulnerability has been designated as CVE-2018-7600, which can be exploited by any anonymous (unauthenticated) user by sending a maliciously crafted request. Based on the latest Git commit in the patched version, previous versions of Drupal lacked proper sanitization for GET request query parameters, POST request body data, and cookie values. As of this time, a technical breakdown from the development team has not been publicly posted.

Recommendations

We recommend the following actions be taken:

  • Upgrade to one of the non-impacted versions of Drupal (8.5.1, 8.4.6, 8.3.9, or 7.58).
  • If you are unable to update your website, the Drupal team recommends converting your website to static HTML pages and disabling access to any Drupal pages.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

References

Vulnerabilities

  • CVE-2018-7600 – Drupal Risk Score 21/25 (Highly Critical)

Systems Affected

  • Drupal 7.x(ISA)
  • Drupal 8.x(ISA)