Serious Drupal vulnerability alert! How to virtual patch it with BitNinja WAF?

2 days ago, a serious vulnerability, SA-CORE-2018-002 (CVE-2018-7600) has been found in Drupal 6, 7 and 8, which affects over one million websites. All the unpatched Drupals are in serious danger! An attacker can upload backdoors or malware via this newly discovered vulnerability. The vulnerability is scored 21/25 Highly Critical!

Details of the vulnerability:

This vulnerability has been categorized as a Highly Critical issue because…

  • With a simple user visit, the hackers can easily leverage the SA-CORE-2018-002.
  • There is no need for special privilege levels. All users or even anonymous users are enough for a successful exploitation.
  • Non-public data is fully accessible, too.

As you can see, it can have serious impacts on the affected websites, that’s why its risk score is 21/25.

Drupal’s recommendations:

If you have a Drupal website, you should update it immediately. A patch has been released for all major Drupal versions and available on the security announcement page.

Virtual patch with BitNinja WAF 2.0:

For BitNinja pro users we have implemented WAF rules to virtual patch this vulnerability. The Drupal Remote Execution Protection is already available in the WAF 2.0! If you want to avoid the dramatic consequences of SA-CORE-2018-002, please enable the 402001 and 402002 rules for the default pattern. The rules will be included in the safe minimum ruleset soon.

First catch

(updated: 1 April 2018)

BitNinja WAF is an effective shield against this vulnerability. Rule 402002 has already defended the first incident:

This was the first but not last log, we’ve already caught several attack attempts.

Were you affected by SA-CORE-2018-002 too? If the 402001 and 402002 rules are enabled on your servers, check out the logs now. Just visit the Network Attacks menu, choose the BL_BN_WAF incident type and look for the similar logs like on the printscreen.

Take care of your servers’ safety now!