Worse, attackers have already been spotted targeting the flaw to deliver cryptocurrency miners and other payloads.
Days after the team behind Drupal urged website admins to apply an update patching a highly critical vulnerability in the content management system (CMS) platform, threat actors were spotted exploiting the loophole in the wild.
The remote code execution (RCE) vulnerability in the Drupal core was assigned a security risk score of 23/25 by the organization behind the platform. The flaw, tracked as CVE-2019-6340, stems from the fact that “some field types do not properly sanitize data from non-form sources”, which may enable attackers to execute arbitrary PHP code on vulnerable sites, reads Drupal’s security alert.
As a result, the team urged Drupal 8.6.x users to update to version 8.6.10 and those with sites running 8.5.x to update to 8.5.11. Older versions of Drupal 8 won’t receive an update, whereas no core update is required for Drupal 7. That said, sites running Drupal 7 may still be vulnerable due to the bug affecting several contributed modules, so admins were urged to check for patches to those modules.
Drupal gave a heads-up of the fix on February 19, i.e. a day before releasing the update itself. Along with the patch came proposed mitigations for Drupal installations where the patch can’t be applied immediately, including a recommendation to disable all web services modules.
The attacks came from various parts of the world and looked to hit various targets, including those in government and the financial services industry. In addition, Imperva noted that the proposed mitigations actually do not foil the exploitation.
It’s not clear just how many sites could be vulnerable to onslaughts against what is the third most widely used CMS platform after WordPress and Joomla.
written by Tomas Foltyn, ESET We Live Security