For millions of websites that rely on the Drupal platform, a highly critical remote code execution (RCE) discovered about two months ago prompted companies to push through emergency patches to help protect their assets and sites from an attack.
However, a new analysis finds that possibly hundreds of thousands of websites remain unpatched and vulnerable to what some security researchers have called "Drupalgeddon 2."
When it was first discovered in late March, the vulnerability -- CVE-2018-7600 -- made it possible for an attacker to completely take over an affected site from "multiple attack vectors," and allowed them to delete private data. (See Drupal RCE Vulnerability Requires Immediate Patching.)
The vulnerability could affect Versions 6, 7 and 8 of the Drupal content management system (CMS) platform. While the two latest versions of Drupal, Version 7.58 and Version 8.51, were not vulnerable to the RCE vulnerability, there were enough versions of the platform being used that thousands of companies applied emergency patches to protect millions of websites.
Still, for some websites and companies, the warning went unheeded.
In a post on the Bad Packets Report, security researcher Troy Mursch wrote that he scanned some 500,000 websites that use the 7.1 Version of Drupal and found:
- 115,070 sites were outdated and vulnerable
- 134,447 sites were not vulnerable
- 225,056 sites were using undetermined versions of Drupal, meaning that some of these sites could still be exposed
Mursch did not share publicly which sites were vulnerable, but noted:
Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world. Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers.
When it was first discovered in March, Drupal engineers noted that no attacks associated with the vulnerability had been observed in the wild.
Now entering its fifth year, the 2020 Vision Executive Summit is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.
During the past two months, however, a number of attacks have begun to appear, typically associated with cryptomining. Research firm SecurityTrails has documented a number of these campaigns.
In addition, Mursch wrote in his June 4 blog that he discovered an additional cryptojacking campaign that had injected Coinhive into sites. One of the affected sites that Mursch found belonged to a Belgium police department's website, but that has since been removed.
— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.