Hackers Have Started Exploiting Recently Released Drupal RCE Exploit

Hackers are really fast these days! It was just recently that a critical vulnerability was disclosed in Drupal, and immediately after the working exploit code has been released, hackers have swung into action, exploiting the vulnerability to their benefits.

The highly critical remote code execution vulnerability, which has affected Drupal’s content management system, is called Drupalgeddon2. The company immediately released updated versions of its CMS, giving time for websites to patch the vulnerability.

The Hacker News reported, on April 13- “Two weeks ago, Drupal security team discovered a highly critical remote code execution vulnerability, dubbed Drupalgeddon2, in its content management system software that could allow attackers to completely take over vulnerable websites…To address this vulnerability the company immediately released updated versions of Drupal CMS without releasing any technical details of the vulnerability, giving more than a million sites enough time to patch the issue.”

Following Drupal releasing updated versions of its CMS, security researchers are Dofinity and Check Point published technical details about the vulnerability. The Hacker News report says- “Two days ago, security researchers at Check Point and Dofinity published complete technical details about this vulnerability (CVE-2018-7600), using which, a Russian security researcher published a proof-of-concept (PoC) exploit code for Drupalgeddon2 on GitHub.” The report also explains how a remote attacker can exploit this vulnerability; it says-“The Drupalgeddon2 vulnerability that affects all versions of Drupal from 6 to 8 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations.”

Check Point researchers had explained that an attacker could exploit this vulnerability to inject a malicious payload into the internal form structure. As a result, Drupal would be executing the code without going in for any user authentication. An attacker can thus use the vulnerability to carry out a full site takeover, for any customer who uses the Drupal open source platform.

Anyway, shortly after the PoC exploit was publicly released, researchers found out that there were attempts to exploit the vulnerability. The Hacker News report says- “However, shortly after the public release of the PoC exploit, which many confirmed to be functional, researchers at Sucuri, Imperva, and the SANS Internet Storm Center started seeing attempts to exploit Drupalgeddon2, though none have yet to see any reports of websites being hacked.”

The solution is simple; the administrators of those websites that are still running the vulnerable versions of Drupal need to update to Drupal 7.58 or Drupal 8.5.1 at the earliest. It’s to be noted that the Drupalgeddon2 vulnerability also impacts Drupal 6, which, since February 2016, is not supported by the company. However, a patch for Drupal 6 too has been created.