A highly critical remote code execution (RCE) vulnerability has been discovered in the core code of Drupal. By exploiting this vulnerability, attackers can execute arbitrary code or cause victim hosts to fetch remote payloads and execute them. This allows the attacker to remotely control the host or install malicious payloads, such as malware or web shells. Alert Logic® has observed attackers actively targeting this vulnerability with exploitation attempts.
Customers who run vulnerable versions of Drupal installations (Drupal 8.6.x and 8.5.x) which are publicly accessible to the open internet are at risk. Drupal installations of Drupal 7 may also be at risk if they utilize a module which uses the same REST functionality.
This vulnerability, CVE-2019-6340, allows for remote attackers to execute arbitrary php code on vulnerable servers by abusing use of the REST API framework of the Content Management System (CMS). This is primarily targeted against hosts using Drupal 8; however, Drupal 7 installations may be vulnerable if they utilize modules which expose the same functionality.
A remote code execution vulnerability allows attackers to execute arbitrary code on the victim box. This is likely to consist of commands to download and install persistence, such as malware or web shells. These malicious payloads could then be used to provide remote control over the victim host and allow further attacks (such as data exfiltration) or lateral movement on to other hosts in the network. This vulnerability allows attackers to eventually take over complete control of a vulnerable host once exploited.
Alert Logic Coverage
Network IDS: Alert Logic released signatures to detect exploitation of this threat as of February 25, 2019. Alert Logic security analysts are actively working to evaluate instances of potential success.
In addition, Alert Logic is actively developing scan coverage and web application firewall coverage for this threat. At this time, it is not expected that log detection is appropriate for this threat; however, Alert Logic will continue this assessment.
Recommendations for Mitigation
As per an advisory released by Drupal, a patch and additional information about the vulnerability and mitigation actions are available on the Drupal site. Drupal provides the following recommendations:
- If you are using Drupal, 8.6.x, upgrade to Drupal 8.6.10.
- If you are using Drupal 8.5.x, upgrade to Drupal 8.5.11.
- Be sure to install any available security updates for continued projects after updating Drupal core.
- No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.
If you believe you may have been breached, Drupal provides a recommended series of actions to take.
This section will be updated with new information about this Drupal RCE vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of this article. You must be signed in to the Support Center using your Alert Logic product credentials to follow this article.
02/26/2019: Vulnerability scan coverage is now available to identify vulnerable assets.