The Drupal community woke up to a worrisome morning with the SA-CORE-2018-002 security advisory (CVE-2018-7600). The highly critical vulnerability mentions remote code execution vulnerability applicable to multiple Drupal core subsystems. The vulnerability resides in the Drupal core, which means all installations of Drupal, regardless of any installed plugin, are vulnerable.

Drupal is reporting on over a million installs across the internet:

Open-Source Investigation

The security advisory does not mention full details regarding the vulnerability, nor have any publicly available exploits been spotted in the wild yet.

However, due to the open-source nature of Drupal, security researchers are able to understand the context of the change using the git commit.

The code change shows an alarmingly named library added to the code: The main function in the library is called “stripDangerousValues”.

This gives an obvious hint that there are user input sanitization issues with Drupal. This means that user input could end up unsafely evaluated in unprotected code execution methods – or in other words, arbitrary remote code execution.A deeper look at the code change shows a specific issue with Form API handling of attributes such as #type, #description and more.

Therefore, an example exploit may look similar to the following:



ASM Mitigation

ASM is able to detect this attack vector using the “SQL-INJ "' #" (SQL comment) (Parameter)” signature:

Nonetheless, an ASU containing signatures specific for this vulnerability has been released and ready for download. The relevant signature IDs are: 200004423, 200004424, 200004440, 200004441, 200004442, 200004443, 200004444.