eSentire Threat Intelligence is aware of a recently disclosed vulnerability in Drupal content management software. Threat Intelligence assesses with high confidence that vulnerable systems are at immediate risk of exploitation. On April 25, 2018, Drupal published a security advisory for CVE-2018-76021 with a risk level of Highly Critical. Since publication, proof of concept code has been released and attacks have been reported.

What we’re doing about it

  • Detection rules have been deployed to esNETWORK sensors
  • The Threat Intelligence team is monitoring this topic for new information

What you should do about it

  • After performing a business impact review apply the appropriate updates
    • Version 7.x, upgrade to Drupal 7.59.
    • Version 8.5.x, upgrade to Drupal 8.5.3.
    • Version 8.4.x, upgrade to Drupal 8.4.8.
  • If you are unable to apply updates immediately or are running a distribution not included in the official security release, temporary patches are available: 
    • Patch for Drupal 8.x 2
    • Patch for Drupal 7.x 3
    • Note, these patches require the prior fix for CVE-2018-7600 4

Additional information

CVE-2018-7602 affects unpatched versions of Drupal 7.x and 8.x. The vulnerability was discovered by Drupal developers while investigating the recently disclosed Drupal vulnerability CVE-2018-7600. The two vulnerabilities are connected but both require their own set of patches. Additional information on CVE-2018-7600 can be found in the eSentire advisory from April 17, “Drupal Remote Code Execution Vulnerability” 5.

Exploitation attempts were reported approximately five hours after initial patch release on April 25, 2018. Successful exploitation of this vulnerability could result in attackers gaining complete control of the compromised website.


References:

[1] https://www.drupal.org/sa-core-2018-004

[2] https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=bb6d396609600d1169da29456ba3db59abae4b7e

[3] https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=080daa38f265ea28444c540832509a48861587d0

[4] https://www.drupal.org/sa-core-2018-002

[5] https://www.esentire.com/news-and-events/security-advisories/drupal-remote-code-execution-vulnerability/

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory and Managed Prevention capabilities.