Time to Update Drupal ASAP – Hackers Can Easily Take Over a Million Sites Using a Critical Flaw
Several versions of Drupal content management system are affected by a highly critical vulnerability that can be easily exploited to take control of the affected website. This serious remote code execution bug (referred as Drupalgeddon 2.0) was discovered by Jasper Mattsson and impacts versions 6, 7 and 8. In total, over a million websites are affected and can be targeted by a remote, unauthenticated attacker.
“This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,” the project said.
Developers of open-source CMS Drupal are warning admins to immediately install patches as the bug is extremely easy to exploit. Tracked as CVE-2018-7600 and assigned a risk score of 21/25 under the NIST Common Misuse Scoring System, this flaw can be exploited by just accessing a page on the target Drupal website. The attack enables hacker to take full control of the site, including access to non-public data.
Mitigations require drastic changes – patches are recommended
The project said only “drastic” configuration changes can mitigate the vulnerability and has recommended installing security patches. The issue is caused by missing input validation.
“There are several solutions, but they are all based on the idea of not serving the vulnerable Drupal pages to visitors,” Drupal developers said. “Temporarily replacing your Drupal site with a static HTML page is an effective mitigation. For staging or development sites you could disable the site or turn on a ‘Basic Auth’ password to prevent access to the site.”
You can install the patches as the flaw had been addressed with the release of Drupal 7.58, 8.5.1, 8.3.9 and 8.4.6. For versions that have reached end of life, refer to details here.
Technical details of this bug are unknown as developers believe that attackers can create working exploits within hours or days of details gone live. Drupal is alerting users to install patches and, in fact, released its first alert a week in advance.