Highly Critical Drupal Remote Execution

Reference:
Advisory #2019-004

Version:
1.0

Affected software:
Drupal 8.5.x
Drupal 8.6.x

Type:
Remote code execution

CVE/CVSS:
CVE-2019-6340

Sources

https://www.drupal.org/sa-core-2019-003

Risks

Drupal has released security updates to address a vulnerability in Drupal Core. A remote attacker could exploit this vulnerability to take control of an affected system.

Description

This vulnerability, registered CVE-2019-6340, is considered to be highly critical by Drupal. A proof of concept has been published.

The vulnerability lies in the fact that an attacker could potentially add fields to a form with PUT / PATCH / POST requests, which could allow arbitrary PHP code to be executed remotely.

Vulnerable websites are those that use Drupal 8 RESTful Web Services and allow PATCH and POST requests. In addition to these are websites that have other active modules such as JSON:API with Drupal 8, Services, or RESTful Web Services with Drupal 7.

Recommended Actions

CERT.be recommends administrator to update their Drupal version.

• If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
• If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
• Be sure to install any available security updates for contributed projects after updating Drupal core.
• No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.
• Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

If patching is not possible immediately, you can mitigate the vulnerability by disabling all web services modules or configure your webserver to not allow PUT/PATCH/POST requests to web services resources.