For the third time in the last 30 days, Drupal site owners are forced to patch their installations. As the Drupal team noted a few days ago, new versions of the Drupal CMS were released, to patch one more critical RCE vulnerability affecting Drupal 7 and 8 core.
The vulnerability, code-named Drupalgeddon3, exploits improper input validation in the Form API. The flaw resides in the “destination” parameter that holds another encoded URL as a value. These values were not sanitized, allowing a remote authenticated attacker to execute arbitrary code in the server.
Unlike the previously disclosed Drupalgeddon2, this time, a proof-of-concept (PoC) was published less than 24 hours after the Drupal release. However, since this vulnerability requires the attacker to be authenticated in the attacked host, the volume of attacks is significantly lower. According to a new advisory released by the Drupal security team, this vulnerability is being exploited in the wild.
So far, all the attacks we registered involved reconnaissance attempts (e.g. commands like whoami, uname, etc.). We’re updating this post as more information becomes available, watch this space.
Imperva Customers Protected
Imperva SecureSphere and Incapsula WAF customers were protected from this attack due to our zero-day and RCE detection rules. We also published a new dedicated security rule to provide maximum protection against possible mutations of this attack.