In April, we released an advisory warning Drupal users to update immediately. Attackers were exploiting a critical remote code execution vulnerability in several Drupal components. The vulnerability — which was named Drupalgeddon — could be used to take over a Drupal site and possibly the server hosting it. As 2019 comes to an end, it appears many Drupal users failed to heed the warning. Attacks using Drupalgeddon are still being used to compromise Drupal sites and servers. A recent surge in attacks exploiting this vulnerability makes updating a matter of urgency.
Drupal site owners who have yet to update should do so. Patches have been available since March 2018. The vulnerabilities are well-known and incorporated into exploit kits. It is simple for an attacker to scan the web for Drupal sites and try their luck with the easy-to-use exploit. It is only a matter of time before unpatched Drupal sites are taken over.
Drupal sites running versions older than Drupal 7.5.8 or Drupal 8.5.1 are vulnerable and should be updated. If updating is inconvenient, the vulnerability may be fixed by patching earlier versions. Patches are also available for Drupal 8.3 and 8.4. Drupal sites older than Drupal 8.2 are not supported and should be updated. Users of Drupal 6 may be able to update via the Drupal 6 Long Term Support project.
Although Drupalgeddon is an old vulnerability and long-since patched by the project, it is being exploited in a series of new attacks. According to security researchers Imperva, attackers are using the vulnerability to gain access to Drupal sites. Once they have access, other vulnerabilities are used to gain root access to the server to install an SSH server.
The attackers scan for websites running old versions of Drupal. They use the Drupalgeddon exploit to establish a foothold. Once they’re in, they search Drupal’s config files for database credentials. The aim is to discover a database user with the same password as the server’s root user — an unfortunate but common security lapse.
If they are unable to find suitable credentials, the attackers take advantage of the Dirty COW vulnerability. Dirty COW is a local privilege escalation vulnerability. It can be used to gain root privileges from an ordinary user account. Drupalgeddon unlocks the door with an ordinary user account; Dirty COW hands over the keys with full root access. Once root access is gained, the attackers have control of the server and can install any software they desire.
Drupalgeddon and Dirty COW were patched months or years ago. There is no reason any server should be vulnerable to either exploit. Yet attackers are fruitfully applying both to take over servers. The takeaway message from this post: if you are using a vulnerable version of Drupal, your server is at imminent risk of being compromised, if it isn’t already compromised.