External risk intelligence

Drupal Core: Code Execution Risk via Web Services.

CVE advisoryKnown Exploit

CVE-2019-6340

Drupal core versions may allow arbitrary code execution if specific web services modules are enabled and non-form data is processed, posing a business risk. Affected organizations should identify and secure these installations.

4Halo Surface Signal

Deserialization

Drupal

8.5.0 to before 8.5.118.6.0 to before 8.6.10

External exposure likelihood

Halo Surface Signal score for CVE-2019-6340

The vulnerability affects Drupal core installations when the RESTful Web Services module or similar API modules are enabled. These components are frequently deployed as internet-facing web APIs, making them reachable via standard web traffic in common web application configurations.

Horizon Alert

Summary of the vulnerability and why it matters

Drupal core versions are vulnerable due to improper data sanitization in certain field types. This weakness can allow for the execution of arbitrary PHP code, potentially impacting system integrity and data confidentiality. Organizations with specific web services modules enabled are at risk if they permit PATCH or POST requests.

Vulnerable Drupal core versions
Improper data sanitization
Arbitrary code execution

Attack Path

How an attacker could exploit the issue

This vulnerability allows for arbitrary code execution when specific web services modules are enabled and non-form data is processed. Attackers can exploit this by sending specially crafted data to affected systems, potentially leading to compromised data and system control. The impact extends to organizations using these Drupal versions with the RESTful Web Services or similar modules active.

Exposed web services.
Attacker sends crafted data.
Arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows attackers to execute arbitrary code on affected systems. The risk is amplified because it can be exploited remotely without requiring user interaction, posing a significant threat to organizations utilizing the vulnerable Drupal versions. Remediation is crucial to prevent unauthorized access and potential data breaches.

Likely attacker skill level: Moderate.
Required access or conditions: Network access and specific modules enabled.
Business risk or urgency: High.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Drupal Core may allow for arbitrary PHP code execution if specific modules are enabled and the system receives specially crafted data. Organizations should prioritize identifying and securing their Drupal installations that meet these conditions to mitigate potential business risk. The issue arises from improper sanitization of data from non-form sources within certain field types.

Find exposed Drupal assets.
Reduce exposure or isolate risk.
Fix, verify, and monitor.

Frequently asked questions

What is Drupal and what is it used for?

Drupal is an open-source content management system (CMS) that helps users build dynamic websites and applications. It provides a framework for creating content, managing users, and extending functionality through modules. Many websites, from personal blogs to enterprise-level platforms, use Drupal to deliver their online content and services.

What type of weakness does CVE-2019-6340 represent in Drupal?

CVE-2019-6340 is a result of improper data sanitization in certain Drupal field types, classified as CWE-502, which relates to deserialization of untrusted data. This weakness can potentially allow an attacker to execute arbitrary PHP code on the affected system.

How can an attacker exploit this Drupal vulnerability?

An attacker can exploit this vulnerability by sending specially crafted data to a Drupal site that has the RESTful Web Services (rest) module enabled and allows PATCH or POST requests. Other web services modules, like JSON:API, can also be a trigger path if they are enabled.

Who needs to care about this Drupal vulnerability?

Organizations running Drupal core versions with specific web services modules enabled and configured to accept PATCH or POST requests should care about this vulnerability. These components are often internet-facing, meaning the threat could be accessible from the wider internet.

What is the first step to address CVE-2019-6340 in Drupal?

The first step is to identify all Drupal installations within your organization. For those identified as potentially vulnerable, confirm if the RESTful Web Services module or other relevant web services modules are enabled and if they accept PATCH or POST requests. Applying vendor-provided updates is the recommended remediation.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.