On February 20, 2019, Alert Logic research teams began tracking vulnerabilities affecting users of Drupal which could allow an attacker to run malicious software remotely. Less than a week later, researchers began to see active exploit attempts against customers and the Emerging Threat process was invoked.
This highly critical remote code execution vulnerability has been discovered in the core code of Drupal (as opposed to a plugin) and allows for remote attackers to execute arbitrary PHP code on vulnerable servers by abusing the application programming interface (API) framework of the Content Management System (CMS).
Using this behavior, attackers can execute commands as if they were locally controlling the victim host. Typically, attackers will use this to fetch remote payloads and execute them—allowing installation of malicious payloads for persistence. For example, malware, or webshells that allow attackers to remotely access file and other operating system functions through a web page.
Organizations that run Drupal installations using version 8.5.x and 8.6.x which are publicly accessible to the open internet are vulnerable and should update their instances as soon as possible.
As an Alert Logic customer, if you were affected, these would have been escalated over the phone to your designated contact and you would see them in the user interface as “[M] Drupal CVE-2019-6340 REST API RCE”.
- Attacker incorporates exploit code into existing scripts to “fire and forget” exploit at public IP ranges
- Sends request with exploit code, usually uploading persistent access mechanism, e.g. a webshell, working through success indicators from script output.
- Drupal will run the code and perform whatever action the attacker wanted
What is a webshell?
A webshell is a script or web page that enables remote administration of the underlying machine by a remote user. Most webshells are written in languages known to be supported by most web servers, e.g. PHP, Python, Ruby, Perl and ASP.
The shell gives the user the ability to create, edit, delete or download files—meaning that data on the system is at high risk of exfiltration and it is possible to upload and execute more specific or targeted code for disruption.
|Wednesday 20th Feb 2019||
Vulnerability announced by Drupal as CVE-2019-6340 / SA-CORE-2019-003:
|Tuesday 26th Feb 2019||Research teams, aware of the vulnerability and carrying out ongoing investigation of raw data observe a high number of exploit attempts in a short period of time.|
Classified as Emerging Threat to formalize next steps
|Content team create IDS “telemetry” signatures that can be used to monitor for the threat through manual packet capture data analysis and identifying fingerprinting of the attack.|
|Research teams hand over operational monitoring to Security Operations Center (SOC)|
Research and Analyst teams observe exploit attempts based on the IDS telemetry data, and begin creating and investigating manual incidents
Incidents begin to be raised to impacted customers
SOC continue investigating manually using tooling and telemetry data
Incidents continue to be raised to customers
|Customers running Drupal are identified from vulnerability scan data and directly contacted by their Customer Success Manager.|
|Vulnerability Scanning coverage deployed, marked as a PCI Audit fail for reporting and auditing|
Knowledge Base Article published
|Broader customer communications sent|
|Friday 28th Feb 2019||This blog published|
|Next Steps||SOC heightened awareness continues|
|Incident content released for automatic enriched incident generation.|
A highly critical remote code execution vulnerability has been discovered in the core code of Drupal (as opposed to a plugin). This vulnerability allows for remote attackers to execute arbitrary PHP code on vulnerable servers by abusing use of the REST API framework of the CMS. This is primarily targeted against hosts utilizing Drupal 8, but Drupal 7 installations may be vulnerable if they utilize modules which expose the same functionality. Using this behavior, attackers can cause victim hosts to fetch remote payloads and execute them—allowing remote code execution or installation of malicious payloads, for example malware, or webshells.
A remote code execution vulnerability allows attackers to execute arbitrary code on the victim box. This is likely to consist of commands to download and install persistence, such as malware or webshells. These malicious payloads could then be used to provide remote control over the victim host and allow further attacks (such as data exfiltration) or lateral movement on to other hosts in the network. This vulnerability allows attackers to eventually take over complete control of a vulnerable host once exploited.
When was this discovered/published and who published it?
The vulnerability was announced by Drupal on 20 Feb 2019 as CVE-2019-6340 / SA-CORE-2019-003.
Original publication: https://www.drupal.org/sa-core-2019-003.
This impacts any organization that is running vulnerable versions of Drupal 8 and have the RESTful Web Services module enabled or are running Drupal 7 but run a module which exposes the same functionality.
There are no public reports, at the time of writing, of specific businesses that have been affected by the threat, however hundreds of attack attempts for this vulnerability against Alert Logic customers have been observed so assume attempts are being made across the public IP ranges.
As per the advisory released by Drupal, a patch and additional information about the vulnerability and mitigation actions are available on the Drupal site.
Drupal provides the following recommendations:
- If you are using Drupal, 8.6.x, upgrade to Drupal 8.6.10.
- If you are using Drupal 8.5.x, upgrade to Drupal 8.5.11.
- Be sure to install any available security updates for continued projects after updating Drupal core.
- No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.