Vulnerabilities > CVE-2019-6340 - Deserialization of Untrusted Data vulnerability in Drupal
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
file exploits/php/webapps/46459.py id EDB-ID:46459 last seen 2019-02-25 modified 2019-02-25 platform php port published 2019-02-25 reporter Exploit-DB source https://www.exploit-db.com/download/46459 title Drupal < 8.6.9 - REST Module Remote Code Execution type webapps file exploits/php/webapps/46452.txt id EDB-ID:46452 last seen 2019-02-23 modified 2019-02-23 platform php port 80 published 2019-02-23 reporter Exploit-DB source https://www.exploit-db.com/download/46452 title Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution type webapps file exploits/php/remote/46510.rb id EDB-ID:46510 last seen 2019-03-07 modified 2019-03-07 platform php port published 2019-03-07 reporter Exploit-DB source https://www.exploit-db.com/download/46510 title Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() RCE (Metasploit) type remote
Metasploit
| description | This module exploits a PHP unserialize() vulnerability in Drupal RESTful Web Services by sending a crafted request to the /node REST endpoint. As per SA-CORE-2019-003, the initial remediation was to disable POST, PATCH, and PUT, but Ambionics discovered that GET was also vulnerable (albeit cached). Cached nodes can be exploited only once. Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of this alternate vector. Drupal < 8.5.11 and < 8.6.10 are vulnerable. |
| id | MSF:EXPLOIT/UNIX/WEBAPP/DRUPAL_RESTWS_UNSERIALIZE |
| last seen | 2020-06-12 |
| modified | 2020-02-19 |
| published | 2019-03-05 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/drupal_restws_unserialize.rb |
| title | Drupal RESTful Web Services unserialize() RCE |
Nessus
NASL family CGI abuses NASL id DRUPAL_8_6_10.NASL description According to its self-reported version, the instance of Drupal running on the remote web server is 8.5.x prior to 8.5.11, or 8.6.x prior to 8.6.10. It is, therefore, affected by a remote code execution vulnerability due to improper sanitization of data from non-form sources. last seen 2020-06-01 modified 2020-06-02 plugin id 122349 published 2019-02-20 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122349 title Drupal 8.5.x < 8.5.11 / 8.6.x < 8.6.10 Remote Code Execution (SA-CORE-2019-003) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(122349); script_version("1.9"); script_cvs_date("Date: 2019/10/31 15:18:51"); script_cve_id("CVE-2019-6340"); script_name(english:"Drupal 8.5.x < 8.5.11 / 8.6.x < 8.6.10 Remote Code Execution (SA-CORE-2019-003)"); script_summary(english:"Checks the version of Drupal."); script_set_attribute(attribute:"synopsis", value: "A PHP application running on the remote web server is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the instance of Drupal running on the remote web server is 8.5.x prior to 8.5.11, or 8.6.x prior to 8.6.10. It is, therefore, affected by a remote code execution vulnerability due to improper sanitization of data from non-form sources."); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/sa-core-2019-003"); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/8.5.11"); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/8.6.10"); script_set_attribute(attribute:"solution", value: "Upgrade to Drupal version 8.5.11 / 8.6.10 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6340"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Drupal RESTful Web Services unserialize() RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/20"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/20"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("drupal_detect.nasl"); script_require_keys("installed_sw/Drupal", "Settings/ParanoidReport"); script_require_ports("Services/www", 80, 443); exit(0); } include("vcf.inc"); include("http.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:80, php:TRUE); app_info = vcf::get_app_info(app:"Drupal", port:port, webapp:true); vcf::check_granularity(app_info:app_info, sig_segments:2); constraints = [ { "min_version" : "8.5", "fixed_version" : "8.5.11" }, { "min_version" : "8.6", "fixed_version" : "8.6.10" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_002B4B0535DD11E994A8000FFEC0B3E1.NASL description Drupal Security Team Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.. last seen 2020-06-01 modified 2020-06-02 plugin id 122372 published 2019-02-22 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122372 title FreeBSD : drupal -- Drupal core - Highly critical - Remote Code Execution (002b4b05-35dd-11e9-94a8-000ffec0b3e1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2019 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(122372); script_version("1.7"); script_cvs_date("Date: 2019/08/23 10:01:45"); script_cve_id("CVE-2019-6340"); script_name(english:"FreeBSD : drupal -- Drupal core - Highly critical - Remote Code Execution (002b4b05-35dd-11e9-94a8-000ffec0b3e1)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Drupal Security Team Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.." ); script_set_attribute( attribute:"see_also", value:"https://www.drupal.org/sa-core-2019-002" ); # https://vuxml.freebsd.org/freebsd/002b4b05-35dd-11e9-94a8-000ffec0b3e1.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?01080f35" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Drupal RESTful Web Services unserialize() RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:drupal8"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/20"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"drupal8<8.6.10")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Packetstorm
data source https://packetstormsecurity.com/files/download/151826/drupal869-exec.txt id PACKETSTORM:151826 last seen 2019-02-26 published 2019-02-25 reporter leonjza source https://packetstormsecurity.com/files/151826/Drupal-8.6.9-REST-Remote-Code-Execution.html title Drupal 8.6.9 REST Remote Code Execution data source https://packetstormsecurity.com/files/download/151992/drupal_restws_unserialize.rb.txt id PACKETSTORM:151992 last seen 2019-03-07 published 2019-03-06 reporter wvu source https://packetstormsecurity.com/files/151992/Drupal-RESTful-Web-Services-unserialize-Remote-Code-Execution.html title Drupal RESTful Web Services unserialize() Remote Code Execution data source https://packetstormsecurity.com/files/download/151820/drupalrest-exec.txt id PACKETSTORM:151820 last seen 2019-02-25 published 2019-02-23 reporter Charles FOL source https://packetstormsecurity.com/files/151820/Drupal-REST-Module-Remote-Code-Execution.html title Drupal REST Module Remote Code Execution
Saint
| bid | 107106 |
| description | Drupal REST module command execution |
| id | web_cms_drupal |
| title | drupal_rest |
| type | remote |
The Hacker News
id THN:65D518D31260AD125ECCB39E84DA19B6 last seen 2019-02-21 modified 2019-02-21 published 2019-02-21 reporter The Hacker News source https://thehackernews.com/2019/02/hacking-drupal-vulnerability.html title Another Critical Flaw in Drupal Discovered — Update Your Site ASAP! id THN:A14668C5F8BFE73FE48789D8CD947EE4 last seen 2019-02-26 modified 2019-02-26 published 2019-02-26 reporter The Hacker News source https://thehackernews.com/2019/02/drupal-hacking-exploit.html title Hackers Actively Exploiting Latest Drupal RCE Flaw Published Last Week