Drupal Hit With RCE Vulnerability

WordPress is not Alone - Meet Drupalgeddon

It's been a bad year for the Drupal community. With two highly critical exploits so significant that they were coined "Drupalgeddon 2" and "Drupalgeddon 3". Along with a consistently abused patching system, the security team has had their hands full this year.

Drupal — the Content Management System (CMS) giant — has been working around the clock in an attempt to patch their leaky ship, and, so far, their efforts have been creating more problems than solutions.

The problem, of course, stems from the fact that their software — being completely open sourced — makes publicly available all their security flaws.

So, let's take a quick look at Drupalgeddon 2 and 3, and see what in the world is going on over at Drupal, and why you should be seriously concerned if you own a Drupal-based website.

The Beginning of Drupalgeddon 2.0

The Drupal security research team discovered a critical vulnerability in the software. The Drupalgeddon 2 vulnerability announcement came out in late March (2018-03-28 ) as SA-CORE-2018-002. The advisory was concurrently released with a patch and CVE (CVE-2018-7600). The Remote Code Execution (RME) vulnerability CVE-2018–7600 had (and according to many, still does have) severe implications for all websites running on the platform.

RCE Exploit?

RCE exploits are a golden ticket as far as hackers are concerned. RCEs provide hackers with an attack vector to trigger code across networks and platforms - essentially being able to control your website. In this case the attack vector was made possible through Drupal’s form API; on page load or through the Drupal Ajax API. RCE exploits stand to make hackers lots of money, so the exploit has been being duplicated and abused in mass.

The fact that Drupal is used by over a million websites (3.9% of all CMS users) is certainly concerning. Businesses, governments, education institutions, and retailers are all in danger of being remotely hacked.

Here's the kicker - every single Drupal website was vulnerable to "Drupalgeddon 2.0".

In response, the security team released a patch late in April, 2018. There were two immediate issues. First, it wasn't getting rid of all instances of Drupalgeddon (though this was debated by their security team, independent security firms showed evidence of Drupalgeddon on over one hundred thousand websites post the April update.) Second, it opened up another vulnerability that is now called "Drupalgeddon 3.0".

The Beginning of Drupalgeddon 3.0

Around three hours after the April 25th patch, a group of hackers was able to uncover another RCE exploit in Drupal's system opened up by the fix. Within another few hours, proofs of concept were leaked - allowing just about anyone to abuse websites run on Drupal.

Thus, we now have Drupalgeddon 3.0 - the aftermath of the original Drupalgeddon.

With the Drupalgeddon 3.0 RCE exploit, hackers were able to not only breach websites and inject them with malware or spam, websites were undergoing extortion attempts as well as lots of interruptions.

According to Drupal, a patch has been issued that should clear up the problem. Of course, the patch could also open other exploitable tunnels - only time will tell.

How to Know if Your Website is Safe?

If you currently run a Drupal website, make sure that you get it patched. Unfortunately, all of the websites that were already compromised, remain compromised. The responsibility and costs of clearing the infections falls on the shoulders on the site owners.

Basically, if you use Drupal, your website probably isn't terribly safe - although it is widely recognized to be safer than WordPress, it’s significantly more complex. There have been a record-setting number of exploits on Drupal this year, and hackers show no signs of slowing down.

Of course, we think that all open-source CMS are potentially unsafe, so this shouldn't come as a surprise.

What Do I Do if My Website Has Been Infected?

Since updating Drupal will not remove already established backdoors on your website, you will need to consult the Drupal FAQs and attempt to fix it. Unfortunately, most of the "fixes" involve using backups or simply deleting your website entirely. FYI, the skills required to manage a Drupal website are significantly more complicated than WordPress, so if you decide to engage with a Drupal developer just know it’s going to cost you more.