CVE-2018-7600 affecting Drupal CMS

Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002

A remote code execution vulnerability exists within multiple subsystems of Drupal 6.x, 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. The flaw has been designated the id CVE-2018-7600.

How Can I Protect My Drupal?

To protect your Drupal from CVE-2018-7600, upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
  • If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)

Drupal 8.3.x and 8.4.x are no longer supported and we don’t normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.

Your site’s update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.

This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.

This will not require a database update.

This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.

I can’t update my site, what can I do to mitigate the problem?

There are several solutions, but they are all based on the idea of not serving the vulnerable Drupal pages to visitors. Temporarily replacing your Drupal site with a static HTML page is an effective mitigation. For staging or development sites you could disable the site or turn on a “Basic Auth” password to prevent access to the site.

Cloudflare Users: Cloudflare has added a Drupal WAF rule rule to block requests matching these exploit conditions their Web Application Firewall (WAF). You can find this rule in the Cloudflare ruleset in your dashboard under the Drupal category with the rule ID of D0003.

What other security measures might I put in place to improve my site’s security?

A few general suggestions include:

The Security Review which looks for weak configurations.

2 Factor Auth to improve the security of logins.

Password Strength which helps enforce stronger passwords.

Paranoia which provides a mix of tools to increase the security of sites.

Vulnerable and fixed packages on Debian

The table below lists information on source packages.

Source Package Release Version Status
drupal7 (PTS) wheezy 7.14-2+deb7u12 vulnerable
wheezy (security) 7.14-2+deb7u18 fixed
jessie 7.32-1+deb8u9 vulnerable
jessie (security) 7.32-1+deb8u11 fixed
stretch 7.52-2+deb9u2 vulnerable
stretch (security) 7.52-2+deb9u3 fixed
sid 7.58-1 fixed

 

The information below is based on the following data on fixed versions.

Package Type Release Fixed Version Urgency Origin Debian Bugs
drupal7 source (unstable) 7.58-1 894259
drupal7 source jessie 7.32-1+deb8u11 DSA-4156-1
drupal7 source stretch 7.52-2+deb9u3 DSA-4156-1
drupal7 source wheezy 7.14-2+deb7u18 DLA-1325-1

 

Find More Info

The FAQ about this issue

Links

https://www.drupal.org/sa-core-2018-002
https://security-tracker.debian.org/tracker/CVE-2018-7600
https://www.drupal.org/psa-2018-001
https://blog.cloudflare.com/drupal-waf-rule-to-mitigate-critical-exploit/

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>