The Drupal CMS team has fixed a highly critical security flaw that allows hackers to take over a site just by accessing an URL.
Drupal site owners should immediately —and we mean right now— update their sites to Drupal 7.58 or Drupal 8.5.1, depending on the version they're running.
The Drupal team
pre-announced today's patches last week when it said "exploits might be developed within hours or days" after today's disclosure.
The security flaw is indeed a severe one, with the Drupal team assigning it a severity score of 21 (on a scale of 1 to 25).
Drupal affected by unauthenticated RCE flaw
The bug —tracked under the
CVE-2018-7600 identifier— allows an attacker to run any code he desires against the CMS' core component, effectively taking over the site.
The attacker doesn't need to be registered or authenticated on the targeted site, and all the attacker must do is to access an URL.
The Drupal community has already nicknamed this bug as Drupalgeddon2 after the Drupalgeddon security bug (
CVE-2014-3704, SQL injection, severity 25/25) disclosed in 2014 that led to numerous Drupal sites getting hacked for years afterward.
No PoC available. No attacks detected (yet).
There is no public proof-of-concept or exploit code currently available online, but researchers have already started digging through the Drupal patches to determine what was patched.
The essence of the diff between Drupal 7.57 and 7.58 (CVE-2018-7600, SA-CORE-2018-002) appears to be this.
#drupal #drupalgeddon2 pic.twitter.com/ZNvckNLTpb
— Arto Bendiken (@bendiken)
March 28, 2018
Drupal developers credited Jasper Mattsson, an employee of Drupal security auditing firm Druid, for discovering the flaw.
The Drupal team says it was not aware of any attacks exploiting the flaw when they published their
security alert, but everyone from the official Drupal team to independent security researchers expect this vulnerability to enter active exploitation within hours or days.
Patching should not be ignored. Even the main Drupal homepage was taken down today for half an hour to apply the Drupalgeddon2 patch.
The Drupal team took the site offline before the announcement to do a version upgrade, and now the site doesn’t work
— Julian Assange’s haunted Internet (@GossiTheDog)
March 28, 2018
EOLed Drupal 6 also affected
Besides fixes for Drupal's two main branches —7.x and 8.x— the Drupal team announced patches for the ancient 6.x branch that was discontinued in February 2016.
Web firewall products are expected to receive updates in the following days to handle exploitation attempts.
Drupal developers recommend patching first, but if this isn't possible applying mitigation solutions such as temporarily replacing a Drupal site with a static HTML page, so the vulnerable Drupal site would not serve the vulnerable URLs to visitors.
In addition, staging and in-dev Drupal installations should be updated or taken down completely until the patch can be applied.
Drupal CMSs have a market share of around 9%
According to BuiltWith.com, Drupal currently powers over one million sites and has a 9% market share among the top 10K most popular sites.
If you're a WordPress admin and have been ridiculed by Drupal site owners for running a vulnerability-prone CMS, the
#Drupalgeddon2 Twitter hashtag can offer some moral satisfaction, vicious trolling, and some funny memes.
Drupal amateur hour: A CRITICAL SECURITY update, that consists of "adding input validation". What is this? F'ing 1997?
#drupal #drupalgeddon .
Literally all that's changed / added:
pic.twitter.com/zZaG1GTRmd
— B̜̫͍̼̙̗̬̒ͦ̇͑̄ͅo̯̳̦͓̮̭ͧ̋͆ͪͦͫḃ̴̟̻͕̤͇̙̣͎̏ (@bopp)
March 28, 2018
