New Drupal RCE vulnerability under active exploitation, patch ASAP!

New WAF attack timelines show the start and end of a threat.
No more logs. See how →

Yet another Drupal remote code execution vulnerability has been patched by the Drupal security team, who urge users to implement the offered updates immediately as the flaw is being actively exploited in the wild.

The vulnerability (CVE-2018-7602) affects Drupal versions 7.x and 8.x. Users should upgrade to v7.59 and 8.5.3.

Those who, for whatever reason, can’t implement the update can implement standalone patches, but before doing so they have to apply the fix from SA-CORE-2018-002 (dating back to March 28, 2018).

Drupal CVE-2018-7602

Drupal CVE-2018-7602 and CVE-2018-7600

This is the second time in less than a month that a critical remote code execution flaw has been plugged.

The first one – CVE-2018-7600 – affected Drupal 8, 7, and 6 sites, estimated to number approximately one million.

Although the flaw was discovered and responsibly disclosed by a researcher, it didn’t take long for attackers to develop an exploit once the security updates and patches had been released.

“Sites not patched by Wednesday, 2018-04-11 may be compromised. This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that,” the Drupal security team recently shared.

“With the March update, Drupal added a global sanitation function. This approach is often difficult to implement correctly,” SANS ISC CTO Johannes Ullrich commented.

“It is very difficult to sanitize and validate data before it is clear how it is being used, in particular if this is done for an existing and complex application like Drupal. We will see how this will work for Drupal in the long run.”

The second flaw – CVE-2018-7602 – is related to the previous one, was unearthed by the same researcher and members of the Drupal security team, and is also being actively exploited in the wild.

Attacks in the wild

China-based Netlab 360 recently observed a large number of scans on the internet against CVE-2018-7600.

The attackers search for vulnerable Drupal installations, exploit the flaw, and install cryptocurrency miners and DDoS-capable software on the compromised servers, as well as backdoors that make it possible for them to access the system whenever they want.

It is to be expected that CVE-2018-7602 will be exploited with the same goals in mind.

The Drupal team warns that, once the critical updates/patches are installed, administrators should check whether their installation has been compromised and a backdoor installed on the host.

“Simply updating Drupal will not remove backdoors or fix compromised sites. You should assume that the host is also compromised and that any other sites on a compromised host are compromised as well,” they noted.

“If you find that your site is already patched, but you didn’t do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.”

Instructions on what users should do if they find their Drupal site has been hacked are available here.

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.