Hackers Have Found a Way to Attack Drupal, and That Can Affect Your Virtual Security Too

SA-CORE-2019-003 Drupal Security Vulnerability

Drupal is the world's third most popular content management system (CMS). Out of context, this doesn't sound like that big of an achievement, but when you take into account the sheer vastness of the internet, you'll see that this single open-source project is responsible for delivering an astonishing amount of information. We're often talking about important information as well. Usage statistics suggest that while a greater number of websites are based on Joomla, the ones running Drupal have more visitors, and indeed, lists of popular Drupal sites show that it is the CMS of choice for many corporate giants, governments, and educational institutions.

The problem with this is that when Drupal develops a bug, it can affect a large number of important websites. Sadly, even the operators of high-profile internet portals don't always apply security patches on time, and the results often speak for themselves. Today, we'll talk about the most recent security bug, how it affected vulnerable websites, and what could have been done to minimize the damage.

SA-CORE-2019-003 – a critical remote code execution bug

It all started on February 20 when Drupal issued patches for a previously undisclosed remote code execution vulnerability affecting certain versions of the content management system. The bug, known as SA-CORE-2019-003 or CVE-2019-6340, is rooted in the fact that the affected Drupal installations don't properly sanitize data coming from non-form sources, and at first, it was thought that a remedy is possible even without the application of a patch.

Developers reckoned that a few configuration changes could be enough, but a few days after the disclosure, they announced that their initial thoughts had been wrong. The security risk was then upgraded to Highly critical, but despite this, some website owners didn't update their installations immediately. The hackers needed no second invitation.

Cybercrooks plant cryptocurrency miners on vulnerable Drupal installations

Yesterday, Imperva, a company specializing in website security, said that just three days after the initial disclosure, hackers were already trying to exploit SA-CORE-2019-003. It was a fairly strong attack, and although it has subsided somewhat, as we'll learn in a minute, mounting an attack is not terribly difficult which means that we might very well see some more activity around SA-CORE-2019-003.

We're talking about remote code execution. In other words, the attackers are more or less free to do whatever they want after they exploit the vulnerability. In the attacks Imperva observed, the crooks were mostly interested in injecting a JavaScript cryptocurrency miner called CoinIMP which mines Monero and Webchain with the help of the visitors' hardware resources. In some cases, however, the researchers saw the crooks placing shells on the affected websites meaning that they could upload files without permission or authentication. Next time, they might decide to use something more sinister like drive-by downloads that infect users' computers with malware.

It could have been worse

It must be said that mining cryptocurrency with unwitting people's computers isn't the nastiest form of cybercrime, and there are a few other things that could have made the attack much worse.

There's no way of knowing how big the campaign is. Imperva did notice a significant uptick, but they can only speak about their customers, meaning that we don't have any reliable figures. Many people reckon, however, that because SA-CORE-2019-003 affects a relatively limited range of Drupal versions, the attack can't be that widespread. In fact, some even think that the possible targets are so few and far between, that the hackers will deem the exploit a waste of time. Obviously, we hope that they're right. We can't overlook the fact, however, that taking advantage of SA-CORE-2019-003 is easier than it should be.

A Proof-of-Concept code makes exploitation quick and simple

The initial disclosure from February 20 didn't contain much in the way of technical details, but needless to say, security professionals wanted to know more. Experts from Ambionics Security took the patch apart and realized that there was a bit more to the bug than was initially thought. To back their findings, they published a Proof-of-Concept exploit. All this helped Drupal learn more about the bug, and the decision to rate the vulnerability as Highly critical was made.

Unfortunately, the existence of a publicly available exploit also makes the criminals' job quite a bit easier, which means that despite the small number of potential victims, the threat is still very real.

You could argue for hours whether or not Ambionics' decision to publish the code was a good one. Some of you probably think that there's nothing wrong with it while others will say that privately informing Drupal about the findings and keeping the exploit under wraps would have been the better bet. Alternatively, you can just make sure that your Drupal website is updated and forget about SA-CORE-2019-003.

February 26, 2019

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 6 + 6 ?