On February 19, Drupal released a security advisory PSA-2019-02-19 (further amended by PSA-2019-02-22). The advisory contains information about a critical security flaw in Drupal 8.5 and 8.6 core. This flaw, classified as CVE-2019-6340, can be used for remote code execution (code injection). An exploit for this vulnerability has been released just a day later.
Blackhat hackers are currently using this vulnerability to attack unpatched websites. Some of the intercepted payloads included a cryptocurrency miner (CoinIMP for Monero and Webchain currencies) that is executed in the user’s browser when they visit an infected website. However, different payloads may be sent including web shells. This could lead to the attacker gaining full control over the victim’s website.
How To Protect Yourself
Scan all your Drupal sites using the latest release of Acunetix. If you don’t have Acunetix yet, get a demo version. Not all Drupal sites are vulnerable to CVE-2019-6340 but it’s better to be safe than sorry.
If you need a temporary quick fix for this vulnerability, you may disable the Drupal REST module. The original advisory stated that the vulnerability affects only POST/PATCH requests but it was quickly proven that even GET requests with no authentication can lead to remote code execution.
The only certain way to protect yourself against CVE-2019-6340 attacks is to upgrade your Drupal installation:
- If you use Drupal 8.6, upgrade immediately to 8.6.10.
- If you use Drupal 8.5, upgrade immediately to 8.5.11.
- Independent of the Drupal core version that you use, install all security updates for contributed projects.
If you believe that your Drupal site has been hacked, it is not enough to just upgrade. To remediate, follow the official Drupal guide.