What is Drupal?
Drupal is one of the most popular Content Management Systems (CMS) around, allowing users to build custom websites with ease using thousands of themes and plugins. The rich features of the software attract a lot of organizations to use the platform for both internal and external web presence, online stores, blogs, etc.…
Of course, as we’ve seen time and time again (especially with CMS), vulnerabilities that are discovered are quick to be weaponized by bad actors looking to target those organizations.
What Vulnerability Was Discovered?
A remote code execution (RCE) vulnerability was discovered by Samuel Mortensonfrom the Drupal security team. An RCE is just about as bad as a vulnerability gets as it allows an attacker to run their own code or commands on the target server. For example, an attacker could output the /etc/shadow and /etc/passwd files on a Linux server to steal password hashes or even install a remote access tool to gain persistent access to the server.
According to the advisory by Drupal the vulnerability exists because “Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.”
Who is Affected?
Technically speaking this vulnerability affects:
- Sites running Drupal 8 core RESTful Web Services and allows GET, PATCH, or POST HTTP requests
- Sites that have another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7
That said, Drupal has had a rough few years and there have been several very critical vulnerabilities including:
These vulnerabilities represent the worst of the worst for Drupal, however, there have been other vulnerabilities disclosed that require patches and validation testing as well.
To make matters worse within about a day after the vulnerability was disclosed the patch was reverse engineered, a proof of concept was published, and now researchers at Imperva have discovered that the attack is already being used in the wild. This is bad news for Drupal users as it greatly increases the urgency of patching and validation efforts.
TechGuard Security can test for all the Drupal vulnerabilities mentioned in this blog and more. We provide organizations with a detailed report that focuses on risk and remediation so that your business can decide where to focus your efforts and how best to resolve these issues.
Our goal is to continually improve your organization’s security program and we do that by creating long-term relationships. Take a look at our service offerings and contact us today so that we can setup a Vulnerability Assessment for this and other vulnerabilities, as well as provide you with a practical remediation plan.
Written by Zach Turpen
Zach Turpen is a Cybersecurity Consultant at TechGuard Security where he conducts penetration tests, vulnerability assessments, social engineering exercises and develops detailed incident response procedures. With experience spanning over 6 years in a Fortune 100 environment he is also CISSP, CEH, GSEC, Security+, Splunk, Rapid 7, ITIL and VMware certified. Zach graduated Summa Cum Laude from McKendree University with a bachelor’s degree in Computer Information Systems. He has worked on the front line of security as an Incident Responder, as a Lead Security Engineer implementing multi-million-dollar projects (SIEM, NGAV, Web Proxies, NGFW) and as a Security Architect migrating business applications to the cloud. In his spare time Zach enjoys spending time with his two kids, gardening and kayak fishing.