Drupal Targeted with RCE Exploits

Introduction By now, you’ve most likely heard of the two recent Drupal vulnerabilities disclosed. If you or your organization is running Drupal 7.x or 8.x, we highly recommend you stop reading and update it now. Drupal 7.5.9 and 8.5.3 has patched the critical vulnerabilities mentioned in this article. Link: How to update Drupal Link: Drupal…

Posted by: Jonathan

Introduction

By now, you’ve most likely heard of the two recent Drupal vulnerabilities disclosed. If you or your organization is running Drupal 7.x or 8.x, we highly recommend you stop reading and update it now. Drupal 7.5.9 and 8.5.3 has patched the critical vulnerabilities mentioned in this article.

Link: How to update Drupal
Link: Drupal 8.5.3 release notes
Link: Drupal 7.5.0 release notes

It’s not uncommon for WordPress, Drupal and other Content Management Systems (CMS) to have vulnerabilities on a higher rate than other services due to their wide use. In fact, the Verizon’s DBIR report states that Brute Forcing was the no. 1 attack vector detected by IPS during their 2018 research.

The Vulnerabilities

Update: Attackers have found a new way to bypass Drupal 8.5.2 and trigger the Drupalgeddon vulnerability once again. The Drupal team has already addressed the new vulnerabilities and have released patches for this.

There are two major vulnerabilities that have been discovered in Drupal in less than a month. The first vulnerability dubbed Drupalgeddon2 (CVE-2018-7600) allows anonymous or unauthenticated users to execute arbitrary code on the system.

As mentioned by CheckPoint, Drupalgeddon2 leverages improper input validation within renderable array in forms. An example of the vulnerable renderable array field group or structure can be seen below. An attacker can craft a malicious request to leverage this vulnerability and execute arbitrary code on the affected system. Multiple exploits have already been released and are being used in the wild.

[
'#type' => 'markup',
'#title' => 'test',
'#markup' => 'echo "hello world" | tee hello.txt',
]

The latest vulnerability identified in Drupal originates from a plugin named CKEditor. CKEditor posted knowledge of the vulnerability along with a patch on Tuesday, April 18, 2018. The vulnerability itself is a Cross-Site Scripting (XSS) vulnerability due to improper validation of the HTML img tag present in Enhanced Image plugin for CKEditor 4.5.11 and later versions.

Recommendations

  • Update Drupal
  • Review and remove plugins not in use or needed. Although plugins introduce new functionalities to your CMS if not needed they should be removed completely.
  • Patch, patch, patch. Keep your CMS installations up-to-date at all times. Create policies and procedures around patch management to ensure consistency and that you are following security best practices.
  • Lastly, be proactive in testing your web applications including systems using CMS at least annually. It is always recommended to allow security experts to review your environment for logic flaws from an attacker’s perspective.

Leave a Reply

Your email address will not be published. Required fields are marked *