Drupal CMS High-Critical Remote Code Execution Vulnerability

Issue
Security researchers have discovered and publicly released several Highly-Critical Remote Code Execution (RCE) vulnerabilities in Drupal versions 7 through 8.5, as well as the end-of-lifed version 6.  Due to the serious nature of these remote code execution vulnerabilities, Drupal has released patches for older, unsupported versions including version 6.

The Drupal Content Management System (CMS) powers 6% of the 10,000 most popular public web sites. Over 647,000 publicly-accessible web sites use this software. This may increase the risk that bad actors may either quickly attack companies running Drupal or will create and release malware targeting this software.

Remote code execution vulnerabilities like these allow an attacker to execute code of their own choosing on an unpatched installation. This could ultimately result in full system compromise and/or allow the attacker to move laterally to compromise other machines, including those on internal network segments.

InGuardians often finds that organizations do not have an accurate inventory of Internet-facing hosts or the applications which they host.  In these cases, application vulnerabilities are particularly challenging to defend, as it is impossible to update software that isn’t known to the patch management staff.

Impact
Unless Drupal CMS versions are updated to 7.58 or 8.51,  it is possible for an attacker to gain full control of the affected system. Drupal CMS version 6 permits the same behavior unless patched against SA-CORE-2018-2. Depending on the attacker’s skillset, as well as the defender’s level of network segmentation, it is possible that an attacker could take full control of the defender’s infrastructure.

Recommendations
InGuardians recommends immediate patching of the Drupal content management system (CMS) across all versions.  Until such time as a patch can be applied, InGuardians recommends that affected organizations restrict access severely to a few trusted IP addresses.  This restriction should only be utilized to perform appropriate upgrades and patches, before restoring full access.

This is also the perfect opportunity to undergo an aggressive look at internet-facing resources in order to develop an accurate inventory, with the intent of finding previously unknown assets including Drupal.  Upon completion of internet-facing asset discovery, InGuardians recommends performing a similar discovery on internal network segments.

Additional Resources 
Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002
https://www.drupal.org/sa-core-2018-002
FAQ about [Security Advisory] SA-CORE-2018-002
https://groups.drupal.org/security/faq-2018-002
[Content Management System] CMS Usage Statistics
https://trends.builtwith.com/cms