Shut the backdoor
UPDATE (Feb 26; 11:08 UTC) Less than a week since Drupal rolled out its patch for the critical RCE bug, attackers have been actively exploiting the flaw to mine for cryptocurrency. “An exploit was published a day after the vulnerability was published, and continues to work even after following the Drupal team’s proposed remediation,” cybersecurity firm Imperva said in a blog post.
Web admins with sites running Drupal 8 have been advised to update their installations following the discovery of a critical flaw that could allow attackers to remotely execute malicious code.
In an out-of-band security update yesterday, Drupal said some field types were not properly sanitizing data from non-form sources. In some cases, this could lead to remote code execution (RCE).
The advisory reads:A site is only affected by this if one of the following conditions is met:
• The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
• the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
Sites running Drupal 7 seem largely unaffected by the issue, although the developers said “several contributed modules do require updates”.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.