For millions of websites that rely on the Drupal platform, a highly critical remote code execution (RCE) discovered about two months ago prompted companies to push through emergency patches to help protect their assets and sites from an attack.
However, a new analysis finds that possibly hundreds of thousands of websites remain unpatched and vulnerable to what some security researchers have called "Drupalgeddon 2."
When it was first discovered in late March, the vulnerability -- CVE-2018-7600 -- made it possible for an attacker to completely take over an affected site from "multiple attack vectors," and allowed them to delete private data. (See Drupal RCE Vulnerability Requires Immediate Patching.)
The vulnerability could affect Versions 6, 7 and 8 of the Drupal content management system (CMS) platform. While the two latest versions of Drupal, Version 7.58 and Version 8.51, were not vulnerable to the RCE vulnerability, there were enough versions of the platform being used that thousands of companies applied emergency patches to protect millions of websites.
Still, for some websites and companies, the warning went unheeded.
In a post on the Bad Packets Report, security researcher Troy Mursch wrote that he scanned some 500,000 websites that use the 7.1 Version of Drupal and found:
- 115,070 sites were outdated and vulnerable
- 134,447 sites were not vulnerable
- 225,056 sites were using undetermined versions of Drupal, meaning that some of these sites could still be exposed
Mursch did not share publicly which sites were vulnerable, but noted:
Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world. Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers.
When it was first discovered in March, Drupal engineers noted that no attacks associated with the vulnerability had been observed in the wild.
During the past two months, however, a number of attacks have begun to appear, typically associated with cryptomining. Research firm SecurityTrails has documented a number of these campaigns.
In addition, Mursch wrote in his June 4 blog that he discovered an additional cryptojacking campaign that had injected Coinhive into sites. One of the affected sites that Mursch found belonged to a Belgium police department's website, but that has since been removed.
- Microsoft, Apple & Others Rush OS Patches Following Debugging Debacle
- OMG: Mirai Botnet Finds New Life, Again
- Microsoft Vulnerabilities More Than Doubled in 2017 – Report
- Cryptomining: Paying the Price for Cryptocurrency