Drupal RCE Flaw Exploited in Attacks Days After Patch

A vulnerability patched recently in the Drupal content management system (CMS) has been exploited in the wild to deliver cryptocurrency miners and other payloads. The attacks started just three days after a fix was released.

The flaw, tracked as CVE-2019-6340, is caused by the lack of proper data sanitization in some field types and it can allow an attacker to execute arbitrary PHP code. Exploitation is possible if the core RESTful Web Services module is enabled and it allows PATCH or POST requests. Attacks are also possible if another web services module is enabled, such as JSON:API in Drupal 8 or RESTful Web Services or Services in Drupal 7.

Drupal has released updates to address the vulnerability and told customers that they can mitigate it by disabling all web services modules, or configuring the server to not allow GET/PUT/PATCH/POST requests to web services resources.

The patches released on February 20 were quickly analyzed and technical details and proof-of-concept (PoC) code were released roughly two days later. Security firm Imperva revealed on Monday that it had started seeing attacks exploiting CVE-2019-6340 on February 23.

According to the company, it has observed hundreds of attack attempts aimed at dozens of its customers, including organizations in the government and financial services sectors. The malicious requests came from several threat groups and several countries.

Imperva says one of the most interesting payloads delivered in these attacks was a JavaScript-based cryptocurrency miner named CoinIMP. The tool is injected into the targeted website’s index.php file and it abuses the devices of the site’s visitors to mine Monero and other cryptocurrencies.

Attackers have also attempted to use the exploit to deliver a shell that allows them to upload arbitrary files to vulnerable Drupal sites.

Imperva also pointed out that attacks can be launched against websites whose administrators implemented the initial mitigations proposed by Drupal developers.

“[The exploit] continues to work even after following the Drupal team’s proposed remediation of disabling all web services modules and banning PUT/PATCH/POST requests to web services resources,” Imperva’s Edi Kogan explained. “Despite the fix, it is still possible to issue a GET request and therefore perform remote code execution as was the case with the other HTTP methods.”

Drupal developers have confirmed that the flaw has been exploited in the wild and made some clarifications regarding vulnerable components and mitigations.

Cybercriminals hacked many Drupal websites last year by exploiting two flaws dubbed Drupalgeddon2 and Drupalgeddon3. The attackers leveraged the vulnerabilities to deliver RATs, cryptocurrency miners and tech support scams.

Recent attacks also involved exploits that chained Drupalgeddon 2 with the DirtyCOW Linux kernel bug.

Related:Two Code Execution Flaws Patched in Drupal

Related: Drupal Refutes Reports of 115,000 Sites Still Affected by Drupalgeddon2

Related: Remote Code Execution Flaws Patched in Drupal