Websites based on the popular open source content management framework, Drupal, are hosting a highly critical vulnerability which leaves them open to attacks and complete takeover. Drupal developers have already notified users about the severe code execution vulnerability which affects over a million websites, and have also released a security patch for different versions of Drupal.
The vulnerability has been labeled highly critical by the Drupal developer team, and it reportedly allows hackers to take complete control of a Drupal-based website by simply visiting it. “A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised”, read Drupal’s official security advisory about the vulnerability.
Discovered during the security audit of Drupal sites, no privilege is required to exploit the vulnerability, which leaves all non-public data stored on the website accessible to anyone. Moreover, all system data can be modified or deleted if someone succeeds in executing the exploit code. All websites running Drupal 8, 7 and 6 are affected, which accounts for around 9% of all sites running the Drupal CMS whose number stands at around one million.
The developer team has released a new security update for the following builds:
- Drupal 7.x: Users should upgrade to Drupal 7.58
- Drupal 8.5.x: Users should upgrade to Drupal 8.5.1
A separate security patch to fix the vulnerability has also been released in case users fail to install the new Drupal updates. Moreover, for minor releases which are no longer supported by the Drupal team, a new update as well as a security patch have also been released ‘given the potential severity of the issue.’
- Drupal 8.3.x: Upgrade to Drupal 8.3.9
- Drupal 8.4.x: Upgrade to Drupal 8.4.6
Users who are using even older versions of Drupal have been advised to upgrade to a recent build, with the exception of Drupal 6, which has now reached the end of its official support term. Thankfully, no attacks have been reported so far where the aforesaid vulnerability has been exploited.