A new vulnerability affecting the popular content management system (CMS) framework Drupal has been announced. This vulnerability is said to affect over 1 Million websites.  The vulnerability has been assigned as CVE-2018-7600. It has also been deemed highly-critical based on CMSS scoring. This highly critical rating means the following:

  • Anonymous access (No need for authentication)
  • Can be triggered remotely (No need of local access)
  • Makes all data accessible (Public AND non public)
  • Data can not only be accessed but modified or even deleted
  • Targeted site can be taken over

Vulnerabilities affecting CMS frameworks are particularly concerning as these systems are prime candidates for botnet herding. Botnets are fundamental means of crime activity and is a primary profit driver for the cybercrime underground economy, as they can be used for cryptocoin mining, spam, identity theft, phishing, financial fraud, DDoS, and more.

CMS frameworks take a significant portion of the internet and when one of these types of vulnerabilities are found, they need to be addressed as they will likely affect millions of websites that can be potentially targeted for malicious activity.


No known exploitation in the wild… as of now

According to the Drupal Security team this vulnerability was found by Jasper Mattsson and as of this time, there are no specific details of a proof of concept or knowledge of exploitation in the wild. However, the differences in previous code and patch are public. It will not take long before malicious actors reverse engineer the patch code and produce exploitation code.

A review of the published patch code reveals a new class named DrupalRequestSanitizer according to WordFence. This new class is basically sanitizing or controlling input in specific elements of the code that can be seen in the next graph.


Fig Shows diff code between Drupal affected versions and patch (Source WordFence)

It is well known that malicious actors including nation states can and will reverse engineer patch code in order to create exploit code. This has been seen previously and widely known vulnerability management programs where state actors have purposely delayed, or abuse exclusive knowledge of upcoming vulnerability publications in order to exploit them.

It is a matter of time before exploitation code is published so it is imperative to update affected Drupal distributions as soon as possible. 


What versions are affected and how to mitigate

The following graph shows a detail mitigation route suggested by Drupal security team.

Fig Shows Drupal recommended mitigation route

Access the Threat Advisory here.


Share on