Security

Drupal admins: Get ready for emergency out-of-band patch for critical vulnerability

Drupal's first patch for the 'Drupalgeddon 2' apparently proved insufficient, prompting a timed release of another patch on Wednesday.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Drupal developers have announced another emergency patch for release on Wednesday. Drupal administrators are advised to patch urgently.
  • Last month's Drupalgeddon 2 vulnerability is presently being exploited by at least three different malware families.

Update: Drupal has released a patch for the vulnerability, designated as CVE-2018-7602. The vulnerability relates to URL handling of GET parameters which were not sanitized to remove the # symbol, creating a remote code vulnerability. Proof of concept code has been released, and the vulnerability is being exploited in the wild.

Once again, the developers of Drupal are preparing an emergency out-of-band patch for a critical vulnerability in the popular content management system. The security advisory indicates that another patch will be released between 16:00 - 18:00 UTC on April 25th, 2018. (For reference, that is between 12:00 - 2:00 pm on the same day, in Eastern Daylight Time.) Patches will be provided for the 7.x, 8.4.x, and 8.5.x branches of Drupal.

Specific details of the vulnerability are unclear, as the developers have not provided any hints of the nature of the issue prior to the release of the patch. However, the advisory does note that it is a follow-up to the patch issued last month in response to the "Drupalgeddon 2" security vulnerability, which related to a conflict between how PHP handles arrays in parameters, and Drupal's use of the hash (#) at the beginning of array keys to signify special keys that typically result in further computation.

In order to patch that vulnerability, an input sanitation check was added to /includes/bootstrap.inc in the Drupal code. Noted developer Scott Arciszewski of Paragon Initiative indicated that the new vulnerability "probably doesn't involve breaking the PHP interpreter."

SEE: Information security incident reporting policy (Tech Pro Research)

Despite the care to pre-announce an urgent out-of-band vulnerability by the developers, seemingly many Drupal installations remain unpatched. The Muhstik botnet has been observed by Netlab 360 infecting vulnerable Drupal instances and implanting xmrig and cgminer cryptocurrency mining software. The Netlab 360 report posits that propagation is also happening from the servers with infected Drupal instances. The botnet is also targeting since-patched vulnerabilties in ClipBucket, DasanNetwork Solution, Webdav, WebLogic, Webuzo, and WordPress, the report said. In addition to Muhstik, two other groups of malware have also been identified as actively exploiting the vulnerability.

Content management systems such as Drupal, as well as blogging platforms like WordPress, are popular targets for hackers, due to their widespread nature. Drupal's usage statistics page indicates the software powers about 1.1 million websites. In particular, Drupal has been susceptible to major vulnerabilities, as the original "Drupalgeddon" SQL injection vulnerability from 2014 showed.

For administrators of Drupal installations that for whatever reason are unable to be patched, Trend Micro's Deep Security package offers filters for the original Drupalgeddon 2 vulnerability to prevent attackers from taking control of vulnerable systems.

Also see

patch.jpg
Image: iStockphoto/JulieVMac

About James Sanders

James Sanders is a Tokyo-based programmer and technology journalist. Since 2013, he has been a regular contributor to TechRepublic and Tech Pro Research.

Editor's Picks

Free Newsletters, In your Inbox