Drupalgeddon 3 – Remote Code Execution Vulnerability in Drupal

On 25 April 2018 Drupal, the web content management system providers, released a security patch. Within hours of releasing this patch Drupal detected successful exploitation attempts.

The vulnerability exists in a URL parameter, “destination”, which is not sanitized. Attackers can leverage this to execute arbitrary commands on the web server.

There are multiple exploitation examples published on the internet since Drupal released the patch. Attackers can also determine if the web site is vulnerable using Google.

Drupalgeddon checks for backdoors and other traces of known Drupal exploits of “Drupageddon” aka SA-CORE-2014-005 SQL injection. Drupalgeddon is not a module; it’s a Drush command.

This is a signature-based diagnostic tool, and can not guarantee a website has not been compromised.

The Drupalgeddon 2 vulnerability announcement came out in late March (2018-03-28 ) as SA-CORE-2018-002. The advisory was released with a patch and CVE (CVE-2018-7600) at the same time.

The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.

Affected Platforms

Drupal – All versions

• If you are using Drupal version 7.x upgrade to version 7.59
• If you are using Drupal version 8.5.x upgrade to version 8.5.3
• If you are using Drupal version 8.4.x upgrade to version 8.4.8.
• Please also note version 8.4.x are no longer supported, it is recommended that Drupal be upgraded to version 8.5.3.