On February 20, 2019, Alert Logic research teams began tracking vulnerabilities affecting users of Drupal which could allow an attacker to run malicious software remotely. Less than a week later, researchers began to see active exploit attempts against customers and the emerging threat process was invoked.
This highly critical remote code execution vulnerability has been discovered in the core code of Drupal (as opposed to a plugin) and allows for remote attackers to execute arbitrary PHP code on vulnerable servers by abusing the application programming interface (API) framework of the content management system (CMS).
Using this behavior, attackers can execute commands as if they were locally controlling the victim host. Typically, attackers will use this to fetch remote payloads and execute them — allowing installation of malicious payloads for persistence. For example, malware or webshells that allow attackers to remotely access file and other operating system functions through a web page.
Organizations that run Drupal installations using version 8.5.x and 8.6.x which are publicly accessible to the open internet are vulnerable and should update their instances as soon as possible.
Attack Steps
- Attacker incorporates exploit code into existing scripts to “fire and forget” exploit at public IP ranges
- Sends request with exploit code, usually uploading persistent access mechanism, e.g. a webshell, working through success indicators from script output.
- Drupal will run the code and perform whatever action the attacker wanted
What is a WebShell?
A webshell is a script or web page that enables remote administration of the underlying machine by a remote user. Most webshells are written in languages known to be supported by most web servers, e.g. PHP, Python, Ruby, Perl and ASP.
The shell gives the user the ability to create, edit, delete or download files — meaning that data on the system is at high risk of exfiltration, and it is possible to upload and execute more specific or targeted code for disruption.
Drupal REST API Timeline
Wednesday, Feb. 20, 2019 |
Vulnerability announced by Drupal as CVE-2019-6340 / SA-CORE-2019-003: |
Tuesday, Feb. 26, 2019 | Research teams, aware of the vulnerability and carrying out ongoing investigation of raw data observe a high number of exploit attempts in a short period of time. |
Classified as Emerging Threat to formalize next steps
|
|
Content team create IDS “telemetry” signatures that can be used to monitor for the threat through manual packet capture data analysis and identifying fingerprinting of the attack. | |
Research team hand over operational monitoring to Security Operations Center (SOC) | |
Research and Analyst teams observe exploit attempts based on the IDS telemetry data, and begin creating and investigating manual incidents Incidents begin to be raised to impacted customers |
|
SOC continue investigating manually using tooling and telemetry data Incidents continue to be raised to customers |
|
Customers running Drupal are identified from vulnerability scan data and directly contacted by their Customer Success Manager. | |
Vulnerability Scanning coverage deployed, marked as a PCI Audit fail for reporting and auditing | |
Knowledge Base Article published |
|
Broader customer communications sent | |
Friday, Feb. 28, 2019 | This blog published |
Next Steps | SOC heightened awareness continues |
Incident content released for automatic enriched incident generation. |
Exploit Details
A highly critical remote code execution vulnerability has been discovered in the core code of Drupal (as opposed to a plugin). This vulnerability allows for remote attackers to execute arbitrary PHP code on vulnerable servers by abusing use of the REST API framework of the CMS. This is primarily targeted against hosts utilizing Drupal 8, but Drupal 7 installations may be vulnerable if they utilize modules which expose the same functionality. Using this behavior, attackers can cause victim hosts to fetch remote payloads and execute them — allowing remote code execution or installation of malicious payloads, for example malware, or webshells.
A remote code execution vulnerability allows attackers to execute arbitrary code on the victim box. This is likely to consist of commands to download and install persistence, such as malware or webshells. These malicious payloads could then be used to provide remote control over the victim host and allow further attacks (such as data exfiltration) or lateral movement on to other hosts in the network. This vulnerability allows attackers to eventually take over complete control of a vulnerable host once exploited.
When was this discovered/published and who published it? The vulnerability was announced by Drupal on February 20, 2019, as CVE-2019-6340 / SA-CORE-2019-003. Original publication: https://www.drupal.org/sa-core-2019-003.
This impacts any organization that is running vulnerable versions of Drupal 8 and have the RESTful Web Services module enabled or are running Drupal 7 but run a module which exposes the same functionality.
Drupal advisory: https://www.drupal.org/node/2365547
Drupal REST API Patches
https://www.drupal.org/project/drupal/releases/8.6.10
https://www.drupal.org/project/drupal/releases/8.5.11
Exploit-DB Record
https://www.exploit-db.com/exploits/46459
As per the advisory released by Drupal, a patch and additional information about the vulnerability and mitigation actions are available on the Drupal site.
https://www.drupal.org/sa-core-2019-003
Drupal provides the following recommendations:
- If you are using Drupal, 8.6.x, upgrade to Drupal 8.6.10.
- If you are using Drupal 8.5.x, upgrade to Drupal 8.5.11.
- Be sure to install any available security updates for continued projects after updating Drupal core.
- No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.