{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2018-008.pdf" }, "title": "Drupal Core \u2013 Remote Code Execution", "serial_number": "2018-008", "publish_date": "30-03-2018 14:54:00", "description": "Drupal team announced a security advisory for a vulnerability (CVE-2018-7600) reported by Jasper Mattsson and rated as Highly Critical with a score of 21/25 based on the NIST Common Misuse Scoring System. A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site. Successful exploitation could lead to a potential compromise of the web application and possibly the underlying operating system as well.", "url_title": "2018-008", "content_markdown": "---\ntitle: 'Drupal Core -- Remote Code Execution'\nversion: '1.0'\nnumber: '2018-008'\ndate: 'March 30, 2018'\n---\n\n_History:_\n\n* _30/03/2018 --- v1.0: Initial publication_\n\n# Summary\n\nDrupal is a content management system often used for Enterprise Content Management Projects. Drupal team announced a security advisory [5] for a vulnerability CVE-2018-7600 reported by Jasper Mattsson and rated as Highly Critical with a score of 21/25 based on the NIST Common Misuse Scoring System.\n\nA remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site.\n\nSuccessful exploitation could lead to a potential compromise of the web application and possibly the underlying operating system as well.\n\n# Products Affected\n\nThis vulnerability affects the Drupal core and affects the 7.x, 8.3.x, 8.4.x, and 8.5.x versions of Drupal, for which the patches have been issued.\n\nThis vulnerability affects the Drupal core versions Drupal 8.2.x and earlier, as well as Drupal 6, however these versions will not be patched.\n\n# Recommendations\n\nUpgrade to the most recent version of Drupal 7 or 8 core.\n\nIf you are running 7.x, upgrade to Drupal 7.58. If you are unable to upgrade immediately, you can attempt to apply the available patch [1] to fix the vulnerability until you are able to completely upgrade.\n\nIf you are running 8.5.x, upgrade to Drupal 8.5.1. If you are unable to upgrade immediately, you can attempt to apply the available patch [2] to fix the vulnerability until you are able to completely upgrade.\n\nDrupal 8.3.x and 8.4.x are no longer supported and Drupal does not normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, currently they are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.\n\nYour site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Consider to update to a supported version after installing this security update. If you are running 8.3.x, upgrade to Drupal 8.3.9 or apply the available patch [2]. If you are running 8.4.x, upgrade to Drupal 8.4.6 or apply the available patch [2].\n\nThis issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.\n\nThis issue also affects Drupal 6. Drupal 6 is End-of-Life and will not be patched.\n\n# Mitigations\n\nIf you are unable to upgrade to Drupal 7.58 immediately, you can attempt to apply the available patch [1] to fix the vulnerability until upgrade to Drupal 7.58.\n\nIf you are unable to upgrade to Drupal 8.5.1, 8.3.9, or 8.4.6 immediately, you can attempt to apply the available patch [2] to fix the vulnerability until upgrade to non-vulnerable version of Drupal.\n\n# Exploits\n\nGiven that Drupal core is open source and diffs are available, we expect an exploit to be out soon [3, 4]. Drupal site owners must take action immediately or risk complete compromise of their web sites.\n\n\n# References\n\n[1] \n\n[2] \n\n[3] \n\n[4] \n\n[5] \n", "content_html": "

History:

  • 30/03/2018 --- v1.0: Initial publication

Summary

Drupal is a content management system often used for Enterprise Content Management Projects. Drupal team announced a security advisory [5] for a vulnerability CVE-2018-7600 reported by Jasper Mattsson and rated as Highly Critical with a score of 21/25 based on the NIST Common Misuse Scoring System.

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site.

Successful exploitation could lead to a potential compromise of the web application and possibly the underlying operating system as well.

Products Affected

This vulnerability affects the Drupal core and affects the 7.x, 8.3.x, 8.4.x, and 8.5.x versions of Drupal, for which the patches have been issued.

This vulnerability affects the Drupal core versions Drupal 8.2.x and earlier, as well as Drupal 6, however these versions will not be patched.

Recommendations

Upgrade to the most recent version of Drupal 7 or 8 core.

If you are running 7.x, upgrade to Drupal 7.58. If you are unable to upgrade immediately, you can attempt to apply the available patch [1] to fix the vulnerability until you are able to completely upgrade.

If you are running 8.5.x, upgrade to Drupal 8.5.1. If you are unable to upgrade immediately, you can attempt to apply the available patch [2] to fix the vulnerability until you are able to completely upgrade.

Drupal 8.3.x and 8.4.x are no longer supported and Drupal does not normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, currently they are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.

Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Consider to update to a supported version after installing this security update. If you are running 8.3.x, upgrade to Drupal 8.3.9 or apply the available patch [2]. If you are running 8.4.x, upgrade to Drupal 8.4.6 or apply the available patch [2].

This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.

This issue also affects Drupal 6. Drupal 6 is End-of-Life and will not be patched.

Mitigations

If you are unable to upgrade to Drupal 7.58 immediately, you can attempt to apply the available patch [1] to fix the vulnerability until upgrade to Drupal 7.58.

If you are unable to upgrade to Drupal 8.5.1, 8.3.9, or 8.4.6 immediately, you can attempt to apply the available patch [2] to fix the vulnerability until upgrade to non-vulnerable version of Drupal.

Exploits

Given that Drupal core is open source and diffs are available, we expect an exploit to be out soon [3, 4]. Drupal site owners must take action immediately or risk complete compromise of their web sites.

References

[1] https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5

[2] https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f

[3] https://security.berkeley.edu/news/highly-critical-remote-code-execution-drupal-sa-core-2018-002

[4] https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714

[5] https://www.drupal.org/sa-core-2018-002

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }