A remote code execution vulnerability has been reported in the third-party RESTWS module for the Drupal content management system. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the target server. Successful exploitation could allow the attacker to execute arbitrary code in the context of the web server process. Drupal core is not affected by this vulnerability.
- The attacker sends a malicious HTTP request to the target server.
- The target server handles the request via the page callback function and the attacker’s command is executed.
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upon discovery of an exploit attempt, customers are advised to perform the following actions:
- Isolate the compromised device from the network.
- Wipe and reinstall the device from the secure media.
- Patch the vulnerability from a trusted source (or otherwise mitigate with FW, config, etc.). Note that updating the RESTWS module to 7.x-2.6 will only mitigate the public PoC. The Metasploit PoC has been verified successfully on all versions of the module.
- Replace data from backups.
- Test the device.
- Return the compromised device to the network at full operation.