Shut the backdoor

UPDATE (Feb 26; 11:08 UTC) Less than a week since Drupal rolled out its patch for the critical RCE bug, attackers have been actively exploiting the flaw to mine for cryptocurrency. “An exploit was published a day after the vulnerability was published, and continues to work even after following the Drupal team’s proposed remediation,” cybersecurity firm Imperva said in a blog post.

Web admins with sites running Drupal 8 have been advised to update their installations following the discovery of a critical flaw that could allow attackers to remotely execute malicious code.

In an out-of-band security update yesterday, Drupal said some field types were not properly sanitizing data from non-form sources. In some cases, this could lead to remote code execution (RCE).

The advisory reads:

A site is only affected by this if one of the following conditions is met:

• The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or

• the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

The developers of the open source CMS framework flagged the issue as ‘highly critical’, advising web admins to upgrade to Drupal versions 8.6.10 or 8.5.11, depending on the installation type.

Sites running Drupal 7 seem largely unaffected by the issue, although the developers said “several contributed modules do require updates”.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

RELATED Drupal updates plug critical RCE flaws