Drupal released a critical update to address CVE-2018-7602. Upon exploiting the bug an attacker can gain remote code execution that can compromise the site. The vulnerability affects Drupal 7.x and 8.x. The vulnerability was disclosed by Drupal’s in house team. A similar bug (CVE-2018-7600) was patched SA-CORE-2018-002. Both of these vulnerabilities are being exploited in the wild.
Vulnerability
Drupal introduced RequestSanitizer.php to address CVE-2018-7600, it contains function stripDangerousValues() that sanitized the GET query ,Request body and cookie. The patch for CVE-2018-7602 is majorly present in the same file. A new function checkDestination() / cleanDestination() (Drupal 7.x) is added, ‘destination’ is one of the accepted GET query parameters that can hold a URL with it owns custom GET parameters. The fix for CVE-2018-7600 does not address this use case and fails to sanitize it. checkDestination() checks GET query ‘destination’ parameters and removes the destination section if it is invalid.
Mitigation
Please apply the latest patches from Drupal SA-CORE-2018-004. Customers can scan their network with QID: 11964 to detect vulnerable targets. The QID uses BlindElephant engine to detect the version of the Drupal installation. The QID will not flag if only code changes were applied and base version remains the same.
Please continue to follow Qualys Threat Protection for more coverage on this vulnerability.
References
Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-004
Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003
Drupal Critical RCE Patch Release [CVE-2018-7600]
CVE-2018-7602