Drupalgeddon 3 - Drupal Remote Code Execution Vulnerability

On 25 April 2018 Drupal, the web content management system provider, released a security patch. Within hours of releasing this patch, Drupal detected successful exploitation attempts.

Threat ID:: CC-2313
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 26 April 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

On 25 April 2018 Drupal, the web content management system provider, released a security patch. Within hours of releasing this patch, Drupal detected successful exploitation attempts.

Affected platforms

The following platforms are known to be affected:

Drupal

Drupal – All versions

Threat details

The vulnerability exists in a URL parameter, “destination”, which is not sanitized. Attackers can leverage this to execute arbitrary commands on the web server.

There are multiple published exploitation examples available on the internet since the patch released. Attackers can also determine if the web site is vulnerable using Google.

For further information:

Threat updates

Date	Update
26 Jun 2018	CVE-2018-7602 is being exploited to deliver a number of cryptocurrency miners to affected devices. The malware packages, all some variant of the open-source XMRig mining program, are used to form botnets to mine the Monero cryptocurrency.

Remediation steps

Type	Step
	If you are using Drupal version 7.x upgrade to version 7.59 If you are using Drupal version 8.5.x upgrade to version 8.5.3 If you are using Drupal version 8.4.x upgrade to version 8.4.8. Please also note version 8.4.x are no longer supported, it is recommended that Drupal be upgraded to version 8.5.3 The NCSC Web Check service can identify if the latest version of Drupal 7 is in use or not. We encourage organisations to utilise this free service to check for known vulnerabilities on your websites.

Type

Step

If you are using Drupal version 7.x upgrade to version 7.59
If you are using Drupal version 8.5.x upgrade to version 8.5.3
If you are using Drupal version 8.4.x upgrade to version 8.4.8.
Please also note version 8.4.x are no longer supported, it is recommended that Drupal be upgraded to version 8.5.3
The NCSC Web Check service can identify if the latest version of Drupal 7 is in use or not. We encourage organisations to utilise this free service to check for known vulnerabilities on your websites.

CVE Vulnerabilities

Status

CVE-2018-7602

Status

CVE-2018-7602

Last edited: 17 February 2020 12:42 pm