Drupal has just issued its third flaw fix in a month, supplementing its previous patch for Drupalgeddon 2 with an unscheduled security update. After releasing a patch for a critical vulnerability in late March, Drupal is now having to do it all over again.
The most recent Drupal core vulnerability has been titled SA-CORE-2018-004 and assigned CVE-2018-7602. It is related to Drupal 7.x and 8.x specifically, within which a remote code execution vulnerability has been detected. This means attackers can potentially exploit multiple attack vectors on a Drupal site as it is related to Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002. Both vulnerabilities are currently being exploited in the wild, so the necessity for a patch is urgent. Following the Drupalgeddon2 patch in late March, the first attacks were seen around two weeks later, following the proof-of-concept (PoC) exploit and accompanying technical details being made public. Expect something similar with SA-CORE-2018-004.
The company is telling users to upgrade to the most recent version of Drupal 7 or 8 core as soon as possible. If users are not able to immediately update, Drupal advises them to attempt to apply the patch provided on their site until they can update completely. However, the patches will only work if the user’s site already has the fix from SA-CORE-2018-002 applied. They warn that if your site does not have that fix, it may already be compromised.
The latest code for Drupal 7 or 8 core can be found at Drupal’s website. For developers still on Drupal 6 (no longer officially supported), unofficial patches are being developed here.
SA-CORE-2018-004 can not only be leveraged to gain control of a website’s server, but it also allows hackers to steal information or change the content of pages. In addition to affecting Drupal 7.x and Drupal 8.x, a similar problem has been discovered in the Drupal Media module. According to the advisory, “The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution (RCE) attack.”
Founder of the Drupal project, Dries Buytaert, wrote a blog post earlier this month about the patch in March. “It’s been nearly four years since the Drupal Security Team published a security release for Drupal core that is this critical,” he said. Make that four weeks now.