Drupal Refutes Reports of 115,000 Sites Still Affected by Drupalgeddon2

The Drupal Security Team has refuted reports that at least 115,000 websites are still vulnerable to Drupalgeddon2 attacks, arguing that the methodology used by the researcher who announced that number is flawed.

Researcher Troy Mursch recently conducted an analysis of websites running Drupal 7, the most widely used version of the content management system (CMS), and apparently found that many of them had still not patched the Drupalgeddon2 vulnerability.

Mursch identified nearly 500,000 Drupal 7 websites through the PublicWWW source code search engine and found that 115,070 had been running older versions of the CMS. The analysis showed that roughly 134,000 sites had not been vulnerable, while for 225,000 the version of Drupal they had been using could not be determined.

These numbers are apparently based on data from the publicly accessible “CHANGELOG.txt” file found on each website – sites using Drupal 7.58 or a later version were classified as not vulnerable while earlier versions were counted as affected.

“Checking the contents of CHANGELOG.txt is not a valid way to determine whether a site is vulnerable to any given attack vector,” the Drupal Security Team said in a statement posted on its website and sent out to journalists. “Patches distributed by the Drupal security team to fix the issues were widely used, but did not touch CHANGELOG.txt or any version strings defined elsewhere. There are also other mitigations that vendors have provided which would also not affect CHANGELOG.txt but would protect the site.”

“We believe the presented numbers to be inaccurate. We consider it to be misleading to draw conclusions from this sparse information,” it added.

In an update to his initial blog post, Mursch says it’s impossible to determine exactly how many Drupal websites are still vulnerable to Drupalgeddon2 attacks without actually attempting to exploit the vulnerability.

“While we know 115,000 sites are using outdated Drupal versions, based on the publically accessible CHANGELOG.txt found on each site, it’s possible someone applied a mitigation patch. However, the problem is we have no way of telling if they did unless we perform the actual exploit,” Mursch said.

“Unfortunately, attempting the exploit on nearly half a million sites would be highly illegal. Due to this, I won’t be performing the exploit or any variant of it to prove all the sites are vulnerable. The fact remains that each one of the 115,000 sites is using an outdated version Drupal,” he added.

Drupalgeddon2, tracked as CVE-2018-7600, allows a remote attacker to execute arbitrary code and take complete control of a website running Drupal 6, 7 or 8. The flaw has been patched with the release of versions 7.58, 8.5.1, 8.3.9 and 8.4.6, with fixes also available for the outdated Drupal 6.

Drupalgeddon2 has been exploited by malicious actors to deliver cryptocurrency miners, backdoors, RATs and tech support scams.

During the analysis of Drupalgeddon2, the Drupal Security Team and the developer who reported the original vulnerability identified another flaw. This second vulnerability, tracked as CVE-2018-7602 and dubbed by some Drupalgeddon3, has also been exploited in the wild.