Drupalgeddon continues with one more remote code execution bug has been discovered in content management system. Identified as CVE-2018-7602, the highly critical vulnerability affects Drupal versions 7.x and 8.x. Affected users should immediately upgrade to Drupal v7.59 and 8.5.3. The bug is actively exploited in the wild, the Drupal team said, so don’t waste any time and patch.
Official Description of CVE-2018-7602
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x, the Drupal security team recently announced. This allows attackers to exploit multiple attack vectors on a site running on Drupal, which could result in the site being compromised in various ways. Note that CVE-2018-7602 is related to Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002.
Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild, Drupal said. In addition, if admins are having issues implementing the update, they should proceed with applying standalone patches. However, before proceeding admins have to apply the fix from SA-CORE-2018-002 from March 28, 2018. Websites without this patch may have already been compromised.
Drupal Vulnerabilities CVE-2018-7602 and CVE-2018-7600
Earlier this month, another highly critical Drupal bug was discovered – CVE-2018-7600, which is very similar to CVE-2018-7602.
CVE-2018-7600 is also a remote code execution vulnerability existing within multiple subsystems of Drupal 7.x and 8.x. The bug allows attackers to exploit multiple attack vectors on a Drupal site. More specifically, the highly critical bug could cause severe damage to a website which could be hacked via remote code execution due to a missing input validation.
This flaw was quickly addressed, but it didn’t take long for attackers to develop an exploit after the fixed for it had been released.
“Sites not patched by Wednesday, 2018-04-11 may be compromised. This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that,” as stated by the Drupal security team.
How did the problem emerge?
According to SANS ISC CTO Johannes Ullrich, with the March update, Drupal added a global sanitation function. This approach is often difficult to implement correctly, he said in a review of CVE-2018-7600, adding that:
It is very difficult to sanitize and validate data before it is clear how it is being used, in particular if this is done for an existing and complex application like Drupal. We will see how this will work for Drupal in the long run.
Not surprising, CVE-2018-7602 is related to the previous bug, and it was discovered by the same researcher and members of the Drupal security team. As already mentioned, the flaw is currently exploited in the wild. According to Netlab 360 security researchers’ analysis, there are a large number of scans on the internet against CVE-2018-7600, and this also applies to the second vulnerability.
In the CVE-2018-7600-based attacks, worm-propagation behavior was observed in some cases. After some investigation, the researchers concluded that this associated botnet has been active for quite some time.
How are the attacks carried out?
Attackers locate vulnerable Drupal installations, exploit the flaw, and install cryptocurrency miners and DDoS malware on compromised servers. On top of that, backdoors are also deployed in these attacks, enabling hackers to access the compromised system whenever they want. Thus, in addition to applying the needed patches, Drupal admins should make sure to check whether their installations have been previously backdoored.