All versions of the Drupal content management system are affected by a highly critical vulnerability that can be easily exploited to take complete control of affected websites in what may turn out to be Drupalgeddon 2.0.
While analyzing the security of Drupal, Jasper Mattsson discovered a serious remote code execution flaw that impacts versions 6, 7 and 8. This represents more than one million websites that can be hacked by a remote and unauthenticated attacker.
The security hole, tracked as CVE-2018-7600 and assigned a risk score of 21/25, can be exploited simply by accessing a page on the targeted Drupal website. Once exploited, it gives the attacker full control over a site, including access to non-public data and the possibility to delete or modify system data, Drupal developers warned.
The vulnerability has been patched with the release of Drupal 7.58, 8.5.1, 8.3.9 and 8.4.6. While Drupal 6 has reached end of life and it’s not supported since February 2016, a fix has still been developed due to the severity of the flaw and the high risk of exploitation.
Besides updating their installations to the latest version, users can protect their websites against attacks by making some changes to the site’s configuration. However, the required changes are “drastic.”
“There are several solutions, but they are all based on the idea of not serving the vulnerable Drupal pages to visitors. Temporarily replacing your Drupal site with a static HTML page is an effective mitigation. For staging or development sites you could disable the site or turn on a ‘Basic Auth’ password to prevent access to the site,” Drupal developers said.
Cloudflare also announced that it has pushed out a rule to its Web Application Firewall (WAF) to block potential attacks.
While no technical details have been made public, Drupal believes that exploits targeting the vulnerability will be created within hours or days, which is why it alerted users of the flaw and an upcoming patch one week in advance. This appears to have been a good strategy, but many websites may still remain vulnerable for extended periods of time.
In the case of the notorious Drupalgeddon vulnerability, hackers had used it to take control of websites nearly two years after a patch was released.
While there haven’t been many reports of Drupal flaws being exploited in the wild since Drupalgeddon, one of the vulnerabilities patched in June 2017 by the developers of the CMS had been leveraged in some spam campaigns.