On March 28, 2018 Drupal released a highly critical security update affecting Drupal sites using version 7.x and 8.x. This security update addresses a critical vulnerability impacting approximately 1 million websites that could allow attackers to exploit multiple access points and take control of Drupal sites. In order to address the issue, Drupal has released two new versions and is recommending that all Drupal sites be updated as soon as possible.
While support for Drupal 6.x was discontinued, their long term support partners have made patches available for Drupal 6.x users. However, it is recommended that site owners using this discontinued version upgrade to Drupal 8.x in order to have their sites included in future security releases. Additionally, for users unable to make immediate upgrades, Drupal has released patches that can be implemented manually for Drupal 7.x and Drupal 8.x. Drupal notes that these patches may not fully secure sites against this vulnerability and recommends that full version upgrades be completed as soon as possible.
The vulnerability CVE-2018-7600, nicknamed “Drupalgeddon2” after a SQL injection vulnerability disclosed in December 2014, allows attackers to pass malicious code to any Drupal site without being signed in to the website. The vulnerability was discovered last week by a Drupal researcher, prompting Drupal to announce the upcoming security updates. This was done in an effort to encourage users to plan and upgrade as soon as the patches became available. This vulnerability is highly critical due to the ease with which it can be exploited — requiring no authentication or special tools. Additionally, if the vulnerability is exploited, attackers could take over an entire website with very little effort — causing loss of data, defacement, and destruction of the site.
At this time, Drupal’s developers have stated that no public proof of concept for exploiting this vulnerability has been detected. This means that, to their knowledge, the vulnerability has not yet been used to compromise sites. It is common for cybercriminals to use disclosed vulnerabilities to attack websites running unpatched or out of date CMS websites after the disclosure process. This makes it even more critical to update website applications as soon as they are released.
SiteLock has been working through the night to implement patches for all versions of Drupal 6.x, 7.x, and 8.x. Websites using SiteLock Infinity, SiteLock SMART PLUS, and Patchman services are all covered, and will receive the necessary vulnerability patches to their core Drupal applications on their next daily site scan. For sites using these services that are set to patch automatically, these patches will be applied without manual intervention and without impacting critical website features like themes and plugins.
Please note that while these patches fully address the highly critical remote code execution vulnerability, it is still recommended that site owners plan and complete full version upgrades at their convenience. Full version upgrades allow sites to take advantage of all features and bug fixes associated with the new versions.
For more information on how your Drupal application can be protected from malware and application vulnerabilities, call SiteLock to find the right solution for your site. We are available 24/7 at 855.378.6200.