On March 27th 2018, the Drupal CMS team announced a massive vulnerability dubbed ‘Drupalgeddon 2’. Accordingly, they recommended that “Drupal site owners should immediately —and we mean right now— update their sites to Drupal 7.58 or Drupal 8.5.1, depending on the version they're running.”
The security flaw is one of the most severe vulnerabilities discovered to date, with the Drupal team assigning it a severity score of 21 (on a scale of 1 to 25).
The bug —tracked under the CVE-2018-7600 identifier— allows an attacker to run any code he desires against the CMS' core component, effectively taking over the site. As Checkpoint describes:
“In brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication. By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.”
But it’s not just the technical severity of the vulnerability that makes Drupalgeddon so dangerous. A vulnerability is only really a threat if cybercriminals are exploiting it. And unfortunately for Drupal sites, attackers immediately moved to exploit it by installing cryptomining malware on unpatched sites.
One would hope that Drupal site owners would have immediately moved to patch their sites, but Troy Mursch , a US-based security researcher, estimates that there are still over 115,000 sites vulnerable to Drupalgeddon 2.
For those who have yet to patch their Drupal sites, there’s no time like the present.
Here are the suggested options to follow in order to solve Drupalgeddon 2:
- Download and install the latest Drupal versions that match your current build.
If you can handle a little down time, or if the Drupal is not mission critical, the best thing you can do is upgrade to the latest Drupal version. The upgrade will include new features and bug fixes, which will both protect your site and enhance your Drupal’s capabilities.
- Download and install the Drupal Version that solved Drupalgeddon 2.
Upgrading Drupal to the latest version might cause some unwanted consequences such as downtime that you probably want to prevent in production environment. In addition, patches are often bundled with features or updates, which may have unpredictable consequences. To avoid these issues, you may want to choose upgrading your Drupal to the minor patch designated for the Drupalgeddon 2 vulnerability. In that case, be sure to use one of the following patches (depending on the version you’re running):
- Drupal 7.x: Drupal 7.58
- Drupal 8.5.x: Drupal 8.5.1
- Drupal 8.3.x: Drupal 8.3.9
- Drupal 8.4.x: Drupal 8.4.6
- If upgrading your version is not an option at the moment, apply the following workaround provided by Drupal:
If you need to minimize downtime as much as possible, apply workarounds for these specific files. This doesn’t require package installations or deployments.
- You can virtually patch Drupalgeddon 2 using your WAF. WAFs examine incoming traffic to block attack attempts, thereby compensating for any code sanitization deficiencies.
The Drupalgeddon 2 weakness is an SQL injection. WAF allows you to configure a set of rules that will be used to sanitize the incoming strings sent to the backend of your application and strip unwanted malicious queries.
Follow the relevant steps for your WAF in order to configure it properly:
Be sure to subscribe to the Vulcan Cyber blog to receive all of our blog updates!
Guy Bratman is a vulnerability ghostbuster, cybersecurity expert, and senior software developer at Vulcan Cyber