The bug has been reported by Samuel Mortenson of Drupal security team, which identified as CVE-2019-6340 whose severity is highly critical, is a Remote Code Execution bug on Drupal Core where some field types do not properly sanitize data from non-form sources which lead to arbitrary PHP code execution in some case.
On the advisory Drupal team said the site is only affected by this bug if one of the following conditions is met:
- The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
- The site has another web services module enabled, like JSON: API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
- If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
- If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
- Be sure to install any available security updates for contributed projects after updating Drupal core.
- No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.
Technical Details -
After Drupal team release the advisory for the bug, researcher from Tencent secure cloud Ding Laboratory started digging up on the issue.
On their research they found that vulnerability is triggered by enabling RESTful Web Services and allowing POST / PATCH requests.
Depending on the configuration of Drupal, this vulnerability may be triggered without any permissions, but is not universal. Once the vulnerability is exploited, an attacker can execute arbitrary PHP code directly on the Web server, causing the server to be compromised and user information to be compromised.
On the blogpost they mentioned that the root cause of bug was at Deserialization operation.
Furthermore, researcher also shared the POC video showing the calculator popping on the server system.