Security News > 2018 > March > Drupalgeddon: Critical Flaw Exposes Million Drupal Websites to Attacks

Drupalgeddon: Critical Flaw Exposes Million Drupal Websites to Attacks
2018-03-29 04:47

All versions of the Drupal content management system are affected by a highly critical vulnerability that can be easily exploited to take complete control of affected websites in what may turn out to be Drupalgeddon 2.0. While analyzing the security of Drupal, Jasper Mattsson discovered a serious remote code execution flaw that impacts versions 6, 7 and 8. This represents more than one million websites that can be hacked by a remote and unauthenticated attacker. The security hole, tracked as CVE-2018-7600 and assigned a risk score of 21/25, can be exploited simply by accessing a page on the targeted Drupal website. Once exploited, it gives the attacker full control over a site, including access to non-public data and the possibility to delete or modify system data, Drupal developers warned. The vulnerability has been patched with the release of Drupal 7.58, 8.5.1, 8.3.9 and 8.4.6. While Drupal 6 has reached end of life and it’s not supported since February 2016, a fix has still been developed due to the severity of the flaw and the high risk of exploitation. Besides updating their installations to the latest version, users can protect their websites against attacks by making some changes to the site’s configuration. However, the required changes are “drastic.” “There are several solutions, but they are all based on the idea of not serving the vulnerable Drupal pages to visitors. Temporarily replacing your Drupal site with a static HTML page is an effective mitigation. For staging or development sites you could disable the site or turn on a ‘Basic Auth’ password to prevent access to the site,” Drupal developers said. Cloudflare also announced that it has pushed out a rule to its Web Application Firewall (WAF) to block potential attacks. While no technical details have been made public, Drupal believes that exploits targeting the vulnerability will be created within hours or days, which is why it alerted users of the flaw and an upcoming patch one week in advance. This appears to have been a good strategy, but many websites may still remain vulnerable for extended periods of time. In the case of the notorious Drupalgeddon vulnerability, hackers had used it to take control of websites nearly two years after a patch was released. While there haven’t been many reports of Drupal flaws being exploited in the wild since Drupalgeddon, one of the vulnerabilities patched in June 2017 by the developers of the CMS had been leveraged in some spam campaigns. Related: Flaw in Drupal Module Exposes 120,000 Sites to Attacks Related: Several Vulnerabilities Patched in Drupal (function() { var po = document.createElement("script"); po.type = "text/javascript"; po.async = true; po.src = "https://apis.google.com/js/plusone.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(po, s); })(); Tweet Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.Previous Columns by Eduard Kovacs:Drupalgeddon: Critical Flaw Exposes Million Drupal Websites to AttacksCritical Flaws Found in Siemens Telecontrol, Building Automation ProductsKaspersky Open Sources Internal Distributed YARA ScannerMicrosoft Patches for Meltdown Introduced Severe Flaw: ResearcherFirst OpenSSL Updates in 2018 Patch Three Flaws 2018 ICS Cyber Security Conference | USA [Oct. 22-25] Register for the 2018 CISO Forum at Half Moon Bay 2018 ICS Cyber Security Conference | Singapore [April. 24-26] sponsored links Tags: NEWS & INDUSTRY Virus & Threats Risk Management Vulnerabilities Management & Strategy


News URL

http://feedproxy.google.com/~r/Securityweek/~3/Vo9k44R8cho/drupalgeddon-critical-flaw-exposes-million-drupal-websites-attacks

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2018-03-29 CVE-2018-7600 Improper Input Validation vulnerability in multiple products
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
network
low complexity
drupal debian CWE-20
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Drupal 15 0 66 45 14 125