Saturday, April 28, 2018

DrupalGeddon 2.1 and the state of vulnerability management

If you’re running Drupal 7.x, 8.4.x, or 8.5.x, a new patch was released Wednesday. The patch was rated Critical with a score of 20/25. The Drupal team notified users two days before the patch was released so they could be ready to patch. The patch went live in the middle of the US workday, meaning that organizations wishing to patch had to take an outage window during business hours (not normally advisable).  Several organizations we work with wanted to take more time to patch and scheduled a patch window for this weekend (something we strongly advised against).

Unfortunately (and unsurprisingly), attackers began exploiting this vulnerability mere hours after the patches were released. Since this is a remote code execution vulnerability, attackers that exploit it take control as the user that runs the web server software (thankfully this is rarely root). However (depending on configuration), attackers may be able to:

  • Upload a web shell
  • Dump data from a backend database
  • Create landing pages for spam on your domain
  • Exploit users who come to your site
  • Steal credentials from users who come to your website

Read the rest of the story on the Rendition Infosec corporate blog.