Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1162 Drupal Core - Highly Critical - Public Service announcement - PSA-2018-002 16 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Core 7 Drupal Core 8 Publisher: Drupal Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Administrator Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-7600 Reference: ESB-2018.0897 Original Bulletin: https://www.drupal.org/psa-2018-002 - --------------------------BEGIN INCLUDED TEXT-------------------- Drupal Core - Highly Critical - Public Service announcement - PSA-2018-002 Posted by Drupal Security Team on 13 Apr 2018 at 17:36 UTC Advisory ID: PSA-2018-002 Project: Drupal core Version: 7.x, 8.x Date: 2018-April-13 Security risk: 24/25 (Highly Critical) AC:None/A:None/CI:All/II:All/E:Exploit/TD:Default Description This Public Service Announcement is a follow-up to SA-CORE-2018-002 - Drupal core - RCE. This is not an announcement of a new vulnerability. If you have not updated your site as described in SA-CORE-2018-002 you should assume your site has been targeted and follow directions for remediation as described below. The security team is now aware of automated attacks attempting to compromise Drupal 7 and 8 websites using the vulnerability reported in SA-CORE-2018-002. Due to this, the security team is increasing the security risk score of that issue to 24/25 Sites not patched by Wednesday, 2018-04-11 may be compromised. This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that. Simply updating Drupal will not remove backdoors or fix compromised sites. If you find that your site is already patched, but you didnt do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site. What to do if your site may be compromised Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack. Take a look at our help documentation, Your Drupal site got hacked, now what. Recovery Attackers may have created access points for themselves (sometimes called backdoors) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access. Removing a compromised websites backdoors is difficult because it is very difficult to be certain all backdoors have been found. If you did not patch, you should restore from a backup. While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch. For more information please refer to this guide on hacked sites. Contact and More Information We prepared a FAQ that was released when SA-CORE-2018-002 was published. Read more at FAQ on SA-CORE-2018-002. The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWtRK8ox+lLeg9Ub1AQgGpA/+KIR/oVwXV+mxsg7gX1n2zNtZ/D4R1loH MfPdrR4aErtdezHNRPmkXJ25wj0bBp5e903TZvRIDVJ2E0v/8rzz2VRB4IFCZBDU tSh12gcfXP/1F8+c4cbW17oAuX6xQUqov921P20vy6AIGVyPCExk2mbiBX53ohZQ stSF9XYdngDfMHkieksxA4VtdJ4AviIn31VBu9E/yVCkrxt1lsEarCwhoHhUTk0u mP+dC4yodj86bMXWcIfySb5aorAagY/0gZKdBfzwU3Vl6INA7JEU0QcjsxmW9LXc FI3jPWRVCUHnRDuJZhdkTWz2rreFYKlmCnWlEUYmNU+Mzi8yWJr8hrJuImkTOZzS 2j/7vLY+c2NapM1/SL3OgjyqkkBCCG9L96i9rvOeap9dgrEsrAmx6xnz9Xk/elZf 6KM95rzTieWrw5oigYuDi2AOD5p/TAWuco/2LMmgKILsYJFz55ckCrkCrfaFL2tJ ir1Ys7SWPO1Le0a8m8weLswUEBGazsnjFOE5Lsow30t9wbcJWuQskpqRQvYLaYXP cA8vCGAKIhrLAfJfuzpLPvm+LVMXZWu6Z9KqD23F/vcjie1LZ/YBwhYt7BsClyJh E/16JTTCjJIOHts3jLRYqRO7mA1XaQ4mYs7xHq6FeqZfFb0aRN1NcU3AcE5mFS2l 1r8eSqfZNzs= =Ndmp -----END PGP SIGNATURE-----