Drupal patches highly critical vulnerability: web admins should update

A highly critical Drupal vulnerability would allow remote code execution in some cases

Drupal patched highly critical vulnerabilityDrupal patched CVE-2019-6340 - a highly critical vulnerability that could allow remote execution of PHP code

Drupal, an open-source management framework, released a security advisory[1] which detailed a new critical flaw that would allow arbitrary PHP code execution when certain conditions are met. Content management software developers urged website administrators to not delay the update process and even announced it prior to the patch released on Wednesday.

The flaw, tracked as CVE-2019-6340 and labeled as “highly critical,” would allow hackers to hijack and even take control over any website that uses Drupal content management software. The critical bug occurs due to insufficiently validated user inputs from such sources as RESTful web services:

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

To patch the flaw, website administrators should update version 8.6.x to 8.6.10 and 8.5.x to 8.5.11. Unfortunately, all the previous versions to 8.5.x are no longer supported, so no security updates are released to patch this critical vulnerability.

Drupal is the third most used CMS software for website publishing, accounting for around 3% of a total of 1.5 billion websites[2] in the world wide web, and 1.16 million sites currently use the platform.[3] Until the update goes live, web admins are recommended to disable all web services.

Not all websites using Drupal are vulnerable

According to the security advisory released by the company, not all the websites are vulnerable. Certain conditions should be met in order to exploit the vulnerability:

  • Sites that run Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests;
  • Websites that have another web services enabled, such as JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

Drupal also warns that after updating the core, admins also have to patch other modules related to the CMS, such as Translation Management Tool, JSON:API, RESTful Web Services, Font Awesome Icons, etc., or the vulnerability would still be exploitable.

In the meantime, those using Drupal 7 are not required to update the core, but the above-mentioned modules should be updated regardless.

Drupal, vulnerabilities and Drupalgeddon 2

Because the flaw was discovered by Drupal researchers, it is highly unlikely that it was exploited previously. However, due to such urgency of the update, there is a possibility that the bug will be utilized in the future on the machines that the software is not patched on time.

Hackers have abused drupal over the years, and this flaw proves that site developers using the platform should be extremely careful and immediately update the software, especially when critical flaws like CVE-2019-6340 are patched.

Almost a year earlier, in March 2018, Drupalgeddon2 security flaw was discovered by project's developers. The vulnerability allowed hackers access to the site, consequently infecting it with backdoor malware.

Next month, Ukraine's Energy Ministry website suffered the attack based on Drupalgeddon2, which encrypted files on the site, but, fortunately, did not affect the operation of the plant itself.[4]

Later that year, hackers took action by exploiting the Drupalgeddon2 vulnerability again and launched a new campaign that allowed them to steal credentials to log into certain sites at the later dates.[5]

All these instances simply show how necessary the patching of management software is, as it can not only affect private sites but even government-controlled ones. Thus, if you are among ones who uses the aforementioned vulnerable versions of Drupal core, patch the software immediately!

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions