There is now public proof of concept code to exploit this vulnerability: https://packetstormsecurity.com/files/151826 and Drupal have released updated information on the vulnerability:
"any enabled REST resource end-point, even if it only accepts GET requests, is also vulnerable"
[The advisory text below has been updated with this information]
On the 20th February Drupal published a critical security advisory outlining a remote code execution vulnerability. The Drupal announcement of this vulnerability is here:
A site is only affected by this if one of the following conditions is met:
- The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests, or
- the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
At this time our assessment is that RedShield customers are not vulnerable as RedShield will by default:
- block command execution attempts which may be delivered as part of any payload attempting to exploit this vulnerability including code embedded in serialised PHP.
- block HTTP PATCH requests
Exploit Proof of Concept
Public proof of concept code has been released here:
- Upgrade Drupal. Even though we believe RedShield customers are not vulnerable Drupal users should upgrade. There is little detail on how the vulnerability is exploited so a full assessment of risk is difficult at this stage.
- If you are running Drupal please get in touch with RedShield Support: firstname.lastname@example.org