At the end of March, the Drupal Security Team confirmed that a “highly critical” vulnerability (dubbed Drupalgeddon2), tracked as CVE-2018-7600, was affecting Drupal 7 and 8 core and announced the availability of security updates on March 28th.
The vulnerability was discovered by the Drupal developers Jasper Mattsson.
Both Drupal 8.3.x and 8.4.x are no more supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates and experts called it Drupalgeddon2.
Drupal development team released the security update in time to address CVE-2018-7600.
A week after the release of the security update, a proof-of-concept (PoC) exploit was publicly disclosed.
The experts at security firm Check Point along with Drupal experts at Dofinity analyzed the CMS to analyzed the Drupalgeddon2 vulnerability and published a technical report on the flaw.
“In brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication.” reads the analysis.
“By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.”
After the publication of the report. the expert Vitalii Rudnykh shared a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes.”
Immediately after the disclosure of the PoC, security experts started observing bad actors attempting to exploit the flaw.
The experts at the Sucuri firm confirmed that they are seeing attempts for the Drupal RCE (CVE-2018-7600) in the wild, below the Tweet published by Sucuri founder and CTO Daniel Cid.
We are seeing attempts for the Drupal RCE (CVE-2018-7600) in the wild now: https://t.co/1tfpH08Ohb
Expect that to grow with the new exploits being shared publicly:https://t.co/V1C0E5hi4W
Also, good read from from CheckPoint explaining it:https://t.co/iD44ZRjOtG
— Daniel Cid (@danielcid) April 12, 2018
According to the researchers at the SANS Institute, threat actors are currently scanning the web for vulnerable servers using simple commands such as echo, phpinfo, whoami, and touch.
“The payload pings a host where the hostname of the target is prefixed to the hostname to be pinged. This is sort of interesting as mu6fea[.]ceye[.]io is a wildcard DNS entry, and *.mu6fea[.]ceye[.]io appears to resolve to 220.127.116.11 right now. So the detection of who is “pinging” is made most likely via DNS.” states the SANS.
Experts have no doubts, hackers will start soon exploiting the flaw to hack vulnerable websites in the wild.
(Security Affairs – Drupal, Drupalgeddon2)