Some versions of the content management system present a critical vulnerability that leaves them exposed to remote code execution attacks
Vulnerability (CVE-2019-6340) exists because “some types of fields do not properly heal data from non-forms sources”, mentions the Drupal team, which is an open source project. “This could lead to arbitrary code execution,” said network security specialists.
In recent days Drupal released the fixes to update the versions of 8.6.x to 8.6.10, as well as Drupal 8.5.x and previous to 8.5.11. “A kernel update is not required for Drupal 7, but several modules need to be updated”.
According to Drupal developers, content management system versions might be at risk if any of the following conditions are present:
- Drupal 8 Web services: A site is only affected by this if you have the RESTful Web Services Module enabled and allow PATCH or POST requests
- Other Web services modules: “The site has another enabled web services module, such as JSON: API in Drupal 8 , or RESTful Web services or services in Drupal 7
Drupal says that although version 7 of the Web Services module is not at risk, it is highly recommended to apply all possible updates.
Network security specialists mention that vulnerability can be mitigated by disabling Web service modules or configuring services for not all PUT, PATCH, or POST requests to Web services resources.
The project team also notes that any version of Drupal that is 8.5.x or earlier has reached its expiration date and will not receive more support.
Troy Mursch, a cybersecurity specialist, mentioned that hackers have been exploiting this vulnerability, infiltrating on websites on a massive scale. “We have found Drupal-related scans that try to use the CHANGELOG.txt method to locate sites that are vulnerable to the CVE-2019-6340 error.
Drupal is one of the most popular content management systems in the world, only after Joomla and WordPress, which covers 60% of the total of this market. According to developers, more than 1 million websites are currently using Drupal.
Last year, Drupal announced that around 500 websites had been attacked by groups of unknown hackers exploiting remote code execution vulnerability in order to mine the cryptocurrency Monero.
Among the victims of this attack were Lenovo, the San Diego Zoo and the office of the Inspector General of the U.S. Equal Employment Opportunities Commission, among other users of the content management system.