Updated: April 24, 7:00 PM GMT
On March 28, 2018, Drupal - one of the world's largest open-source web content management platforms reportedly used by over one million sites - issued a highly critical security advisory (SA-CORE-2018-002) which highlights a remote code execution (RCE) vulnerability in versions 6, 7, and 8 of the platform, that if left unpatched, could allow a potential unauthenticated attacker to exploit multiple attack vectors on a site and fully compromise it.
The vulnerability has been nicknamed "Drupalgeddon2" after another recent security flaw and has been assigned the following CVE identifier: CVE-2018-7600.
Drupal's recommendation for users running versions 7.x or 8.x core is either to upgrade immediately to the latest versions - currently 7.58 and 8.5.1, or alternately apply the available patches linked in the security advisory.
Even though version 6.x is affected, it has reached End of Life, and Drupal is recommending either to upgrade to a currently supported version or consult the Drupal 6 Long Term Support project.
Drupal also has released a FAQ on this issue located here.
Trend Micro Recommendation and Solutions
As with any vulnerability, Trend Micro highly recommends that users apply all critical patches and fixes that vendors provide for security issues as soon as possible. These patches will provide the strongest level of defense against any potential attacks.
At the current time, there is no known public proof-of-concept (POC) or exploit code, however, with the public disclosure of the vulnerability - security researchers (and presumably would-be attackers) are already analyzing the patches. Due to the relative size of potential targets, it is estimated that an exploit or attack may begin to appear within days.
Fortunately, Trend Micro has analyzed the information to see if proactive protection rules and filters may be created to help protect against potential attacks, and has deployed the following:
|Deep Security||Intrusion Prevention Rule1||1008970 - Drupal Core RCE Vulnerability (CVE-2018-7600)|
|TippingPoint||DV Toolkit CSW Filter1|| |
CVE-2018-7600.csw includes 2 filters:
|Deep Discovery Inspector||DDI Rule||3575 - CVE-2018-7600 - Remote Code Execution - HTTP (Request) Beta|
|Anti-Malware Products||VSAPI Pattern||14.204.06 - ELF64_MUHSTIK.A|
|Anti-Spware Products||Spyware (SSAPI) Pattern||1.940.44 - HKTL_CVE20187600|
1 Due to the nature of the Deep Security rules and TippingPoint filters, certain environments may experience false positives. Customers are advised to review triggers in their networks and put the rules/filters in prevent mode if necessary.
In addition, by default, all filters in the DV Toolkit (DVT) are not enabled and have no recommendation action set. More information on deploying DVT packages can be found here or by contacting Trend Micro TippingPoint Technical Assistance Center (TAC) with additional questions.