ESB-2018.1162 - [Win][UNIX/Linux] Drupal Core 7 and Drupal Core 8: Administrator compromise - Remote/unauthenticated 2018-04-16

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1162
Drupal Core - Highly Critical - Public Service announcement - PSA-2018-002
                               16 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Drupal Core 7
                   Drupal Core 8
Publisher:         Drupal
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Administrator Compromise        -- Remote/Unauthenticated
                   Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-7600  

Reference:         ESB-2018.0897

Original Bulletin: 
   https://www.drupal.org/psa-2018-002

- --------------------------BEGIN INCLUDED TEXT--------------------

Drupal Core - Highly Critical - Public Service announcement - PSA-2018-002

Posted by Drupal Security Team on 13 Apr 2018 at 17:36 UTC

    Advisory ID: PSA-2018-002
    Project: Drupal core
    Version: 7.x, 8.x
    Date: 2018-April-13
    Security risk: 24/25 (Highly Critical) 
                   AC:None/A:None/CI:All/II:All/E:Exploit/TD:Default

Description

This Public Service Announcement is a follow-up to SA-CORE-2018-002 - Drupal 
core - RCE. This is not an announcement of a new vulnerability. If you have 
not updated your site as described in SA-CORE-2018-002 you should assume your
site has been targeted and follow directions for remediation as described 
below.

The security team is now aware of automated attacks attempting to compromise 
Drupal 7 and 8 websites using the vulnerability reported in SA-CORE-2018-002.
Due to this, the security team is increasing the security risk score of that 
issue to 24/25

Sites not patched by Wednesday, 2018-04-11 may be compromised. This is the 
date when evidence emerged of automated attack attempts. It is possible 
targeted attacks occurred before that.

Simply updating Drupal will not remove backdoors or fix compromised sites.

If you find that your site is already patched, but you didnt do it, that can 
be a symptom that the site was compromised. Some attacks in the past have 
applied the patch as a way to guarantee that only that attacker is in control
of the site.

What to do if your site may be compromised

Attackers may have copied all data out of your site and could use it 
maliciously. There may be no trace of the attack.

Take a look at our help documentation, Your Drupal site got hacked, now what.

Recovery

Attackers may have created access points for themselves (sometimes called 
backdoors) in the database, code, files directory and other locations. 
Attackers could compromise other services on the server or escalate their 
access.

Removing a compromised websites backdoors is difficult because it is very 
difficult to be certain all backdoors have been found.

If you did not patch, you should restore from a backup. While recovery without
restoring from backup may be possible, this is not advised because backdoors 
can be extremely difficult to find. The recommendation is to restore from 
backup or rebuild from scratch. For more information please refer to this 
guide on hacked sites.

Contact and More Information

We prepared a FAQ that was released when SA-CORE-2018-002 was published. Read
more at FAQ on SA-CORE-2018-002.

The Drupal security team can be reached at security at drupal.org or via the 
contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure 
code for Drupal, and securing your site.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWtRK8ox+lLeg9Ub1AQgGpA/+KIR/oVwXV+mxsg7gX1n2zNtZ/D4R1loH
MfPdrR4aErtdezHNRPmkXJ25wj0bBp5e903TZvRIDVJ2E0v/8rzz2VRB4IFCZBDU
tSh12gcfXP/1F8+c4cbW17oAuX6xQUqov921P20vy6AIGVyPCExk2mbiBX53ohZQ
stSF9XYdngDfMHkieksxA4VtdJ4AviIn31VBu9E/yVCkrxt1lsEarCwhoHhUTk0u
mP+dC4yodj86bMXWcIfySb5aorAagY/0gZKdBfzwU3Vl6INA7JEU0QcjsxmW9LXc
FI3jPWRVCUHnRDuJZhdkTWz2rreFYKlmCnWlEUYmNU+Mzi8yWJr8hrJuImkTOZzS
2j/7vLY+c2NapM1/SL3OgjyqkkBCCG9L96i9rvOeap9dgrEsrAmx6xnz9Xk/elZf
6KM95rzTieWrw5oigYuDi2AOD5p/TAWuco/2LMmgKILsYJFz55ckCrkCrfaFL2tJ
ir1Ys7SWPO1Le0a8m8weLswUEBGazsnjFOE5Lsow30t9wbcJWuQskpqRQvYLaYXP
cA8vCGAKIhrLAfJfuzpLPvm+LVMXZWu6Z9KqD23F/vcjie1LZ/YBwhYt7BsClyJh
E/16JTTCjJIOHts3jLRYqRO7mA1XaQ4mYs7xHq6FeqZfFb0aRN1NcU3AcE5mFS2l
1r8eSqfZNzs=
=Ndmp
-----END PGP SIGNATURE-----

« Back to bulletins