Worse, attackers have already been spotted targeting the flaw to deliver cryptocurrency miners and other payloads

Days after the team behind Drupal urged website admins to apply an update patching a highly critical vulnerability in the content management system (CMS) platform, threat actors were spotted exploiting the loophole in the wild.

The remote code execution (RCE) vulnerability in the Drupal core was assigned a security risk score of 23/25 by the organization behind the platform. The flaw, tracked as CVE-2019-6340, stems from the fact that “some field types do not properly sanitize data from non-form sources”, which may enable attackers to execute arbitrary PHP code on vulnerable sites, reads Drupal’s security alert.

As a result, the team urged Drupal 8.6.x users to update to version 8.6.10 and those with sites running 8.5.x to update to 8.5.11. Older versions of Drupal 8 won’t receive an update, whereas no core update is required for Drupal 7. That said, sites running Drupal 7 may still be vulnerable due to the bug affecting several contributed modules, so admins were urged to check for patches to those modules.

Drupal gave a heads-up of the fix on February 19, i.e. a day before releasing the update itself. Along with the patch came proposed mitigations for Drupal installations where the patch can’t be applied immediately, including a recommendation to disable all web services modules.

Come the next day and a proof-of-concept (PoC) exploit was published online and, as might have been expected, attacks weren’t long in coming. On Monday, Imperva said that it alone had detected dozens of attempts to leverage the flaw and deliver various payloads. These included a JavaScript-based cryptocurrency miner called CoinIMP that, once injected into a vulnerable site, would hijack visitors’ machines to mine for virtual currency such as Monero. Additionally, there have also been attempts to leverage the exploit to plant a shell enabling attackers to upload arbitrary files onto unpatched Drupal sites.

The attacks came from various parts of the world and looked to hit various targets, including those in government and the financial services industry. In addition, Imperva noted that the proposed mitigations actually do not foil the exploitation.

It’s not clear just how many sites could be vulnerable to onslaughts against what is the third most widely used CMS platform after WordPress and Joomla.

Source: HERE

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!