The Imunify360 Threat Intelligence Group are monitoring a remote code execution vulnerability targeting installations of the Drupal CMS. This vulnerability has the identifier CVE-2019-6340. It affects these versions of Drupal:
Remote code execution vulnerabilities allow attackers to execute arbitrary code on a platform, in this case, the Drupal CMS. The code can install other software, gather data for exporting, or permanently delete or modify data without the site owner's knowledge or consent. Attackers deliver malicious PHP payloads using automated scripts. It is this payload we have been tracking.
Attacks using the exploit were first detected on 24th February 2019. The number of attacks surged significantly since the first proof of concept became public. The chart below shows the number of blocked attempts over the past 3 days.
The payload contains the text:
Using this, an attacker can execute the id shell command to get an answer from a vulnerable server.
If you find this next string in your web server log, you may be a victim of this attack:
GET /node/1?_format=hal_json HTTP/1.1
If you are a user of Imunify360, a web application firewall (WAF) blocking rule protects you by detecting and deactivating malicious payloads.
If you do not have an intelligent WAF, you should immediately upgrade your Drupal installation to the latest version. If you cannot, you should disable the REST module in Drupal CMS.
With an integrated and modular organization, Imunify360 scales with your company and your needs in providing a secure and reliable web hosting service. It is a multi-layered defense system, with intelligent firewalls and IDS/IPS, precision targeting and eradication of malware and viruses, a centralized cyber incident management control panel, Hardened PHP and 'Proactive Defense', automated Linux kernel patch management, reputation management, all unified in one cohesive package, making it comprehensively the best choice for web hosting companies who are serious about security.