Recently disclosed Drupal CVE-2019-6340 RCE flaw exploited in the wild

Threat actors in the wild are exploiting the recently patched
CVE-2019-6340 flaw in the Drupal CMS to deliver cryptocurrency miners and other payloads.

Just three days after the CVE-2019-6340 flaw in Drupal was addressed, threat actors in the wild started exploiting the issue to deliver cryptocurrency miners and other payloads.

Last week, Drupal core team released security updates that address a “highly critical” remote code execution vulnerability.

The CVE-2019-6340 flaw is caused by the lack of proper data sanitization in some field types, an attacker could exploit the flaw to execute arbitrary PHP code.

“Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.” reads the security advisory published by Drupal.

The flaw was discovered by Samuel Mortenson of the Drupal Security Team.

In order to exploit the CVE-2019-6340 flaw, it is necessary that the core RESTful Web Services module is enabled and allows PATCH or POST requests. It is also possible to trigger the vulnerability if another web services module is enabled, such as JSON:API in Drupal 8 or RESTful Web Services or Services in Drupal 7.

Drupal released Drupal 8.6.10 and 8.5.11 to address the vulnerability. Drupal 7 does not need to be updated, but experts pointed out that there are some updates for Drupal 7 contributed modules that should be installed.

Two days after the release of the security fixes, on February 20, experts published technical details about the issue and also a PoC exploit code.

“By diffing Drupal 8.6.9 and 8.6.10, we can see that in the REST module, FieldItemNormalizer now uses a new trait, SerializedColumnNormalizerTrait. This trait provides the checkForSerializedStrings() method, which in short raises an exception if a string is provided for a value that is stored as a serialized string.” reads the technical analysis published by Ambionics security.

“This indicates the exploitation vector fairly clearly: through a REST request, the attacker needs to send a serialized property. This property will later be unserialize()d, thing that can easily be exploited using tools such as PHPGGC.”

Cybersecurity experts at Imperva observed hundreds of attacks against its customers exploiting the CVE-2019-6340 flaw on February 23. The attacks were carried out by multiple threat actors from several countries.

Hackers targeted dozens of Imperva’s customers, including organizations in the government and financial services sectors.

“We’ve found dozens of attack attempts aimed at dozens of websites that belong to our customers using this exploit, including sites in government and the financial services industry.” reads the analysis published by Imperva.

“The attacks originated from several attackers and countries, and all were blocked thanks to generic Imperva policies that had been in place long before the vulnerability was published.”

“An exploit was published a day after the vulnerability was published, and continues to work even after following the Drupal team’s proposed remediation of disabling all web services modules and banning PUT/PATCH/POST requests to web services resources.” reads the post from Imperva. “Despite the fix, it is still possible to issue a GET request and therefore perform remote code execution as was the case with the other HTTP methods.”

Hackers used a few payloads in the recent wave of attacks, one of the payloads observed by Imperva attempts to inject a Javascript cryptocurrency (Monero and Webchain) miner named CoinIMP into the index.php file of the compromised website. This causes all visitors will run the malicious script when visiting the homepage.

The attacker’s payload also attempts to install a shell uploader to upload arbitrary files on vulnerable Drupal sites.

According to Imperva, the exploitation of the flaw against websites is possible even after following the Drupal developers proposed the initial mitigation.

The Drupal development team confirmed that attackers in the wild have been exploited the flaw and provided further details about the issue.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – XSS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CVE 2019-6340, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]