Highly Critical Remote Code Execution in Drupal (SA-CORE-2019-003)

February 21, 2019

Summary

A highly critical bug has been discovered in Drupal that can be used for remote code execution [1].  Drupal is a Content Management System (CMS) commonly used to host websites. In the past this sort of exploit has been used to deliver remote access tools, ransomware, and cryptominers to web servers [2]. Based on similar exploits against various CMS software in the past, we can expect that attackers will begin exploiting this software quickly.

Impact

  • A remote attacker can exploit this issue to execute arbitrary commands on the web server.

Vulnerable

  • Drupal 8.6.X prior to 8.6.10
  • Drupal 8.5.10 or earlier
  • A number of Drupal 7 contributed Modules
  • For a list of modules affected, please see the links in the References section [2].

Contributing Factors

To be vulnerable a site must:

  • Have the Drupal 8 core RESTful Web Services (rest) module enabled and  allows PATCH or POST requests, or
  • Have another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7

Recommendations

  • If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
  • If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
  • If you are using a version of Drupal 8 prior to 8.5.x it no longer receives security coverage and should be upgraded to a supported release.
  • Be sure to install any available security updates for contributed projects after updating Drupal core [3].
  • No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates [3].
  • If you can not apply any of the above referenced patches at this time, disable all Drupal web services modules, or configure your web server(s) to not allow PUT/PATCH/POST requests to web services.

Mitigations

If you can not apply any of the above referenced patches at this time, disable all Drupal web services modules, or configure your web server(s) to not allow PUT/PATCH/POST requests to web services

Additional Information

Because Open Berkeley does not have Web Services enabled it is not affected by this vulnerability, however, it will be patching the contributed modules.

References

[1] https://www.drupal.org/sa-core-2019-003
[2] https://www.securityweek.com/critical-drupal-vulnerability-allows-remote...
[3] https://www.drupal.org/security/contrib
[4] https://security.berkeley.edu/news/