Ryan Barnett

Drupal core - Highly critical - Remote Code Execution

Blog Post created by Ryan Barnett Employee on Mar 28, 2018

UPDATE - April 13th

Based on newly identified vulnerability/exploit details (info below), Akamai Threat Research has made updates to the security protections provided in both Kona Site Defender and Web Application Protector.  KSD customers who have already enabled KRS rule ID 3000067 v1 have automatically received the updated protection logic so no action is required. WAP customers always receive automatic rule updates so no action is required.

 

New vulnerability/exploit details are now in the public domain –

 

---------------------- Original blog post below ----------------------

SA-CORE-2018-002 / CVE-2018-7600

On March 28th, 2018 the Drupal Security Team released the details about a previously undisclosed critical vulnerability. Akamai’s Threat Research Team has developed protections for this vulnerability.  Akamai customers who run Drupal will be able to reduce their exposure while they validate and apply Drupal's patch.

 

What you Should Do:

 

For the portions of your environment powered by Drupal, users should follow the information provided below:

  • Web Application Protector (WAP)
    • No action required.  Updates to the CMDi Threat Group protections has occurred inline and are active.
    • Should the WAP customer or partner know their entire application is powered by Drupal, applying the custom rule (based on the logic if KRS Rule ID 3000067) will remove the potential evasion of a sophisticated attacker removing the request hints that indicate they are communicating with a Drupal origin.  

 

  • Kona Site Defender (KSD)
    • Action required.  KRS Rule ID 3000067 must be enabled and activated. Note enabling this rule for non-Drupal requests may block legitimate traffic.
    • KRS Rule ID 3000067 is available for all versions of KRS so a ruleset upgrade is not required.
    • You can engage with your Security Service Primary, call into AkaTec, or contact your account team if you have additional questions.

  • Web Application Firewall (WAF) - same as Kona Site Defender

  • Kona DDoS Defender (KDD) - no update, KDD provides protection against volumetric attacks, which is not the case for this attack pattern.

Outcomes