UPDATE:
There is now public proof of concept code to exploit this vulnerability: https://packetstormsecurity.com/files/151826 and Drupal have released updated information on the vulnerability:
"any enabled REST resource end-point, even if it only accepts GET requests, is also vulnerable"
[The advisory text below has been updated with this information]
----
On the 20th February Drupal published a critical security advisory outlining a remote code execution vulnerability. The Drupal announcement of this vulnerability is here:
https://www.drupal.org/sa-core-2019-003
A site is only affected by this if one of the following conditions is met:
- The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests, or
- the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
Shielding Status
At this time our assessment is that RedShield customers are not vulnerable as RedShield will by default:
- block command execution attempts which may be delivered as part of any payload attempting to exploit this vulnerability including code embedded in serialised PHP.
- block HTTP PATCH requests
Exploit Proof of Concept
Public proof of concept code has been released here:
https://packetstormsecurity.com/files/151826
Recommended Actions
- Upgrade Drupal. Even though we believe RedShield customers are not vulnerable Drupal users should upgrade. There is little detail on how the vulnerability is exploited so a full assessment of risk is difficult at this stage.
- If you are running Drupal please get in touch with RedShield Support: support@redshield.co
Comments