Attackers abuse critical Drupal leak shortly after patch release

The team behind content management system Drupal warns that attackers are exploiting a vulnerability for which a patch was released on Wednesday evening. The vulnerability allows remote code execution.

The Drupal team published the warning before the attacks, hours after it released the patch for the vulnerability. It warned Tuesday that a patch for a critical leak would be released shortly. At the time, it also expected that exploits for the vulnerability might appear within hours.

A Drupal maintainer tells Ars Technica that the attackers are using proof-of-concept code that has since appeared online on Pastebin. That code, which is suitable for Drupal 7, states that the attacker must be authenticated and must be able to remove nodes.

The code would not yet be suitable for automated attacks, for example by means of a botnet. With targeted attacks happening now, the Drupal team has decided to increase the severity of the leak to ‘highly critical’, while initially it only used the designation ‘critical’. It published a site on Wednesday with information about the vulnerability and available patches. The vulnerability, with attribute CVE-2018-7602, was found by the team itself and applies to versions 7 and 8 of the CMS.

Version 7.x users can update to version 7.59, 8.5.x has released 8.5.3 and the discontinued 8.4.x has an update to version 8.4.8. In the latter case, the team recommends a follow-up update to version 8.5.3.

The new patches follow a previous “highly critical” leak, for which the Drupal team released patches at the end of March. In that case, it took about two weeks for the team to warn that attackers were actively exploiting the vulnerability. Ultimately, this also happened on a large scale through botnets.