First thing’s first! You have to patch your Drupal websites immediately. This is the third time in last 30 days when Drupal websites are vulnerable. Drupal has released new versions of its software, again, to patch another critical remote code execution vulnerability that affects it’s Drupal 7 and 8 core.
Drupal is a popular open-source content management system software that powers millions of websites, and unfortunately, the CMS has been under active attacks since after the disclosure of a highly critical remote code execution vulnerability.
Las vulnerability, Drupalgeddon2 (CVE-2018-7600), was patched on March 28, but the changes made to fix this flaw have opened another critical loophole in the core software, forcing the Drupal team to release a new patch.
The new remote code execution vulnerability (CVE-2018-7602) can now allow hackers to take over vulnerable websites completely.
This kind of problem can be easily evaded if a robust cybersecurity solution is present in every device that you own. Depending on which version of OS is installed on your device it is imperative to install an antivirus for Windows or antivirus for Mac. Companies should also use the services of a cybersecurity firm to verify their internal network by running various tests like penetration test and ethical hacking tests.
The company behind Drupal urged all website administrators to install new cybersecurity patches as soon as possible.
• If you are running 7.x, upgrade to Drupal 7.59.
• If you are running 8.5.x, upgrade to Drupal 8.5.3.
• If you are running 8.4.x, which is no longer supported, you need first to update your site to 8.4.8 release and then install the latest 8.5.3 release as soon as possible.
For now, there aren’t any active exploits in the wild for the new vulnerability, because the new flaw is more complex to string together into an exploit.
Be aware! The new patches will only work if your site has already applied patches for the Drupalgeddon2 flaw.
For now, there aren’t any technical details available publicly, but that does not mean you can wait until next morning to update your website, believing it won’t be attacked.
Remember that hackers have developed automated exploits leveraging Drupalgeddon2 vulnerability to inject cryptocurrency miners, backdoors, and other malware into websites, within few hours after it’s detailed went public, so patch now!
Besides these two flaws, the team behind Drupal also patched a moderately critical cross-site scripting (XSS) vulnerability last week, which could have allowed remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft.
All Drupal website admins are highly recommended to update their websites as soon as possible.
Also, remember that only a robust cybersecurity solution can protect your device form all types of cyber attacks. The use of an active antivirus is mandatory. We strongly recommend to everyone to install an antivirus for Windows or antivirus for Mac, depending on which version of OS your devices run. If you are a company, please check your network integrity by hiring top cybersecurity firms to perform various tests like penetration test and ethical hacking tests at least once a year.