The social media and the cybersecurity sites were blowing up when Drupal published their latest vulnerability (SA-CORE-2019-003). It’s not a surprise that this remote code execution vulnerability got a highly critical label, as hackers could easily hack your Drupal 8 websites.
But BitNinja users shouldn’t have to worry for any minute, as they were protected by our WAF from the very beginning of this RCE flaw. We have already seen some attempts caught by the rule 933170, so hackers didn’t wait a lot to exploit the CVE-2019-6340.
How are hackers trying to exploit the latest Drupal vulnerability?
Cybercriminals are sending the '_format=hal_json' GET request then inject a serialized PHP object in the POST data. This technique will only work if the REST module is enabled.
If the hackers succeed, they can easily exploit this RCE vulnerability to run any malicious code and hack the vulnerable websites.
But putting effort to attack BitNinja protected servers is useless… The Ninja Community was already protected when the Drupal published this vulnerability because the 933170 WAF rule (which is part of the safe minimum ruleset) will stop the CVE-2019-6340 by filtering the serialized object injection.
We can see the signs that the hackers have already started to exploit the flaw. Let’s take a closer look at one of the stopped attacks:
As we mentioned, the 933170 rule, which protects you against CVE-2019-6340 is already enabled in the safe minimum ruleset, so take it easy, hackers won’t be able to hack your sites.
BitNinja against zero-day attacks
This wasn’t the first time when Drupal published a highly critical vulnerability. We can still remember the Drupalgeddon, which was also patched by us instantly. But there were other zero-days, such as Meltdown&Spectre, MODX and phpMyAdmin vulnerabilities which were all patched by BitNinja.
As you can see, we are always trying to patch zero-day attacks the most quickly, so if you'd like to have an ultimate weapon against zero-day attacks, don’t waste your time! Join our Ninja Community and make sure that WAF is activated on your servers.