Drupal is a popular open source content management system (CMS). It is the platform used by millions of company websites and personal blogs around the world. Those millions of sites are at risk from an emerging threat identified by the Alert Logic threat research team.
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. The flaw can potentially allow cyber attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised.
There are actually two associated security vulnerabilities—both of which have been previously identified and published:
- CVE-2018-7600 was originally published by Drupal on March 28, 2018: Affected versions of Drupal are vulnerable to remote code execution via multiple paths throughout the codebase as unauthenticated cyber criminals are able to inject without sanitization special variables (beginning with the char '#') into certain forms renderable arrays, as property keys. These variables are used internally to Drupal, the manipulation of these results in attacker-controlled strings being used as function names and parameters when the form arrays are rendered (via Ajax).
- CVE-2018-7602 was originally published by Drupal on April 25, 2018: Affected versions of Drupal are vulnerable to remote code execution via the same root cause as CVE-2018-7600 where the attacker can leverage the destination query string in suitable paths to again inject special property keys into certain forms renderable arrays and gain execution on array rendering (via Ajax). The path must support the use of destination queries via drupal_get_destination() or the redirect.destination service, the obvious ones which appear to be authenticated. The cause of this is that the fix for CVE-2018-7600 did not consider destination query string values when deciding what input to sanitize.
Protecting against Drupal Vulnerability Exploits
Both vulnerabilities are related to the core Drupal platform—not associated plugins. Drupal acknowledges that these vulnerabilities are currently being exploited in the wild.
If you are using a vulnerable version of Drupal, you should update to a current version. Drupal recommends that customers running version 7.x update to Drupal 7.59, and customers running 8.5.x upgrade to Drupal 8.5.3. Drupal 8.4.x is no longer supported, but Drupal also developed a version 8.4.8 to resolve these issues. If you can’t update to a current version of Drupal, you can try to mitigate the risk in the short term with the Drupal 7.x or Drupal 8.x patches.
Any customer running a vulnerable version of Drupal is susceptible to these attacks. Alert Logic Threat Manager intrusion detection system has had signatures capable of detecting both vulnerabilities in place since April 13, the date that exploit code first appeared. Alert Logic also has vulnerability scanning in place to detect customer assets that are at risk.
If you have any questions or concerns, feel free to comment or reach out to Alert Logic support. We will update this post if we learn any relevant new information.