New Campaign Targeting Drupal Websites

A new attack methodology has been identified which involves the Dirty COW (CVE-2016-5195) and Drupalgeddon 2 (CVE-2018-7600) vulnerabilities present in unpatched Drupal web servers.

Threat ID:: CC-2797
Category:: Exploit
Threat Severity:: Medium
Threat Vector:: Vulnerability
Published:: 20 November 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new attack methodology has been identified which involves the Dirty COW (CVE-2016-5195) and Drupalgeddon 2 (CVE-2018-7600) vulnerabilities present in unpatched Drupal web servers.

Affected platforms

The following platforms are known to be affected:

Linux

Linux Core Kernel - Version 2.6.22 and later

Drupal - Versions 8, 7, and 6

Drupal

Threat details

A remote attacker can exploit this by persistently infecting vulnerable servers, which can result in the compromise of user machines.

Attackers have been observed to be scanning for websites that are running an outdated version of the Drupal website manager. Once a vulnerable site is identified, a Drupalgeddon 2 exploit can be used to gain initial access, which can allow an attacker to search the site's local configuration files for database credentials. If there is a root account present in the database connection settings, root access can be achieved if the credentials match those of the server. However, if this doesn't work, the Dirty COW vulnerability can be exploited to allow an attacker to escalate their privileges from a limited user account to root access. After root access has been instated, a legitimate SSH client can be installed on the web server.

At the time of publication, it is unknown why attackers are targeting Drupal web servers. It is likely that they are attempting to establish a method of logging in to the servers for future malicious purposes.

For further information:

Remediation steps

Type	Step
	Users and administrators are encouraged to review Linux Kernel Changelog 4.8.3 and contact their relevant IT provider to apply the necessary updates. Additionally: Users and administrators are encouraged to review Drupal's Security Advisory and update to versions 7.58 or 8.5.1. NCSC's Web Check service can identify if the latest version of Drupal 7 is in use or not. We encourage organisations to utilise this free service to check for known vulnerabilities on your websites.

Type

Step

Users and administrators are encouraged to review Linux Kernel Changelog 4.8.3 and contact their relevant IT provider to apply the necessary updates. Additionally:

Users and administrators are encouraged to review Drupal's Security Advisory and update to versions 7.58 or 8.5.1.
NCSC's Web Check service can identify if the latest version of Drupal 7 is in use or not. We encourage organisations to utilise this free service to check for known vulnerabilities on your websites.

Last edited: 11 January 2022 9:36 am