Attacker Value
High
(3 users assessed)
Exploitability
Very High
(3 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

Drupalgeddon 2

Disclosure Date: March 29, 2018
CVE-2018-7600 CVSS v3 Base Score: 9.8
Exploited in the Wild
Reported by gwillcox-r7
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

Add Assessment

4
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Difficult to patchEasy to weaponizeVulnerable in default configuration
Technical Analysis

Due to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: https://github.com/g0tmi1k/Drupalgeddon2

Log in to Add Reply
2
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

Many versions were vulnerable, and the vulnerability was in a well-used API. The exploit took some time to develop due to a need for a deep understanding of Drupal internals (see blog post in references).

Log in to Add Reply
1
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Difficult to patchEasy to weaponizeVulnerable in default configuration
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
  • Associated Malware: Kitty
  • Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core.
Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
exploit
Utility Class
rce
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Jasper Mattsson
PoC Author
Nixawk
FireFart
a2u
Metasploit Module
exploit/unix/webapp/drupal_drupalgeddon2
Reporter
Unknown

Vendors

  • debian,
  • drupal

Products

  • debian linux 7.0,
  • debian linux 8.0,
  • debian linux 9.0,
  • drupal

References

Canonical
BID-103534 (http://www.securityfocus.com/bid/103534)
CVE-2018-7600 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600)
Advisory
SECTRACK-1040598 (http://www.securitytracker.com/id/1040598)
https://groups.drupal.org/security/faq-2018-002
EXPLOIT-DB-44448 (https://www.exploit-db.com/exploits/44448)
https://www.drupal.org/sa-core-2018-002
https://www.synology.com/support/security/Synology_SA_18_17
DSA-4156 (https://www.debian.org/security/2018/dsa-4156)
[debian-lts-announce] 20180328 [SECURITY] [DLA 1325-1] drupal7 security update (https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html)
EXPLOIT-DB-44449 (https://www.exploit-db.com/exploits/44449)
EXPLOIT-DB-44482 (https://www.exploit-db.com/exploits/44482)
Miscellaneous
https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714
https://research.checkpoint.com/uncovering-drupalgeddon-2
https://twitter.com/RicterZ/status/984495201354854401
https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know
https://twitter.com/arancaytar/status/979090719003627521
https://greysec.net/showthread.php?tid=2912&pid=10561
https://www.us-cert.gov/ncas/alerts/aa20-133a
https://blog.rapid7.com/2018/04/27/drupalgeddon-vulnerability-what-is-it-are-you-impacted
https://twitter.com/RicterZ/status/979567469726613504
https://github.com/rapid7/metasploit-framework/pull/9876
https://github.com/g0rx/CVE-2018-7600-Drupal-RCE
https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600
https://github.com/a2u/CVE-2018-7600

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis