eSentire Threat Intelligence is aware of a recently disclosed vulnerability in Drupal content management software. Threat Intelligence assesses with high confidence that vulnerable systems are at immediate risk of exploitation. On April 25, 2018 Drupal published a security advisory for CVE-2018-76021 with a risk level of Highly Critical. Since publication, proof of concept code has been released and attacks have been reported.

What we’re doing about it

  • Detection rules have been deployed to esNETWORK sensors
  • The Threat Intelligence team is monitoring this topic for new information

What you should do about it

  • After performing a business impact review apply the appropriate updates
    • Version 7.x, upgrade to Drupal 7.59.
    • Version 8.5.x, upgrade to Drupal 8.5.3.
    • Version 8.4.x, upgrade to Drupal 8.4.8.
  • If you are unable to apply updates immediately, or are running a distribution not included in the official security release, temporary patches are available: 
    • Patch for Drupal 8.x 2
    • Patch for Drupal 7.x 3
    • Note, these patches require the prior fix for CVE-2018-7600 4

Additional information

CVE-2018-7602 affects unpatched versions of Drupal 7.x and 8.x. The vulnerability was discovered by Drupal developers while investigating the recently disclosed Drupal vulnerability CVE-2018-7600. The two vulnerabilities are connected but both require their own set of patches. Additional information on CVE-2018-7600 can be found in the eSentire advisory from April 17, “Drupal Remote Code Execution Vulnerability” 5.

Exploitation attempts were reported approximately five hours after initial patch release on April 25, 2018. Successful exploitation of this vulnerability could result in attackers gaining complete control of the compromised website.

[1] https://www.drupal.org/sa-core-2018-004

[2] https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=bb6d396609600d1169da29456ba3db59abae4b7e

[3] https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=080daa38f265ea28444c540832509a48861587d0

[4] https://www.drupal.org/sa-core-2018-002

[5] https://www.esentire.com/news-and-events/security-advisories/drupal-remote-code-execution-vulnerability/

eSentire Media Contacts

Rebecca Freiburger | eSentire | [email protected]

Angela Tuzzo | MRB Public Relations | [email protected] | +1 732.758.1100 x105 | @MRB_PR

Ready to start the conversation about cybersecurity?

Let's Talk