[Security-news] Drupal Core - Highly Critical - Public Service announcement - PSA-2018-002
security-news at drupal.org
security-news at drupal.org
Fri Apr 13 18:04:36 UTC 2018
View online: https://www.drupal.org/psa-2018-002
* Advisory ID: PSA-2018-002
* Project: Drupal core [1]
* Version: 7.x, 8.x
* Date: 2018-April-13
* Security risk: 25/25 (Highly Critical)
AC:None/A:None/CI:All/II:All/E:Exploit/TD:All [2]
-------- DESCRIPTION
---------------------------------------------------------
This Public Service Announcement is a follow-up to SA-CORE-2018-002 - Drupal
core - RCE [3]. This is *not* an announcement of a new vulnerability. If you
have not updated your site as described in SA-CORE-2018-002 you should assume
your site has been targeted and follow directions for remediation as
described below.
The security team is now aware of automated attacks attempting to compromise
Drupal 7 and 8 websites using the vulnerability reported in SA-CORE-2018-002
[4]. Due to this, the security team is increasing the security risk score of
that issue to 25/25
*Sites not patched by Wednesday, 2018-04-11 may be compromised.* This is the
date when evidence emerged of automated attack attempts. It is possible
targeted attacks occurred before that.
*Simply updating Drupal will not remove backdoors or fix compromised sites.*
If you find that your site is already patched, but you didn’t do it, that
can be a symptom that the site was compromised. Some attacks in the past have
applied the patch as a way to guarantee that only that attacker is in control
of the site.
.... What to do if your site may be compromised
Attackers may have copied all data out of your site and could use it
maliciously. There may be no trace of the attack.
Take a look at our help documentation, ”Your Drupal site got hacked, now
what.” [5]
.... Recovery
Attackers may have created access points for themselves (sometimes called
“backdoors”) in the database, code, files directory and other locations.
Attackers could compromise other services on the server or escalate their
access.
Removing a compromised website’s backdoors is difficult because it is very
difficult to be certain all backdoors have been found.
If you did not patch, you should restore from a backup. While recovery
without restoring from backup may be possible, this is not advised because
backdoors can be extremely difficult to find. The recommendation is to
restore from backup or rebuild from scratch. For more information please
refer to this guide on hacked sites. [6]
-------- CONTACT AND MORE INFORMATION
----------------------------------------
We prepared a FAQ that was released when SA-CORE-2018-002 was published. Read
more at FAQ on SA-CORE-2018-002 [7].
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/SA-CORE-2018-002
[4] https://www.drupal.org//www.drupal.org/sa-core-2018-002
[5] https://www.drupal.org/node/2365547
[6] https://www.drupal.org/node/2365547
[7] https://groups.drupal.org/security/faq-2018-002
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
More information about the Security-news
mailing list