[Threat Intelligence Report] Remote Code Execution in Drupal 8 (CVE-2019-6340)

drupal-vulnerability

The Imunify360 Threat Intelligence Group are monitoring a remote code execution vulnerability targeting installations of the Drupal CMS. This vulnerability has the identifier CVE-2019-6340. It affects these versions of Drupal:

  • All 8.5.x versions, up to and including 8.5.11
  • All 8.6.x versions, up to and including 8.6.10

Attack Method

Remote code execution vulnerabilities allow attackers to execute arbitrary code on a platform, in this case, the Drupal CMS. The code can install other software, gather data for exporting, or permanently delete or modify data without the site owner's knowledge or consent. Attackers deliver malicious PHP payloads using automated scripts. It is this payload we have been tracking.

Attack Frequency

Attacks using the exploit were first detected on 24th February 2019. The number of attacks surged significantly since the first proof of concept became public. The chart below shows the number of blocked attempts over the past 3 days.

Technical Profile

The payload contains the text:

"O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}" 

Using this, an attacker can execute the id shell command to get an answer from a vulnerable server.

If you find this next string in your web server log, you may be a victim of this attack:

GET /node/1?_format=hal_json HTTP/1.1 

Attack Response and Remediation

If you are a user of Imunify360, a web application firewall (WAF) blocking rule protects you by detecting and deactivating malicious payloads.

If you do not have an intelligent WAF, you should immediately upgrade your Drupal installation to the latest version. If you cannot, you should disable the REST module in Drupal CMS.

About Imunify360

With an integrated and modular organization, Imunify360 scales with your company and your needs in providing a secure and reliable web hosting service. It is a multi-layered defense system, with intelligent firewalls and IDS/IPS, precision targeting and eradication of malware and viruses, a centralized cyber incident management control panel, Hardened PHP and 'Proactive Defense', automated Linux kernel patch management, reputation management, all unified in one cohesive package, making it comprehensively the best choice for web hosting companies who are serious about security.

Imunify and Superheroes: At CloudFest 2019
New Feature: Imunify360 blocks server ports under ...
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Wednesday, 20 March 2019

Captcha Image