Drupal developers urge users to update their installs to version 8.7.5, which addresses the CVE-2019-6342 flaw that allows hackers to take control of Drupal 8 sites.

Drupal developers informed users that version 8.7.4 is affected by a critical flaw, tracked as CVE-2019-6342, that could be exploited by attackers to take control of Drupal 8 websites. Users have to update to version 8.7.5 to address the vulnerability.

The issue resides in the Drupal 8.7.4, it is an access bypass vulnerability that can be triggered when the experimental Workspaces module is enabled.

“In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created.” reads the security advisory.

The vulnerability can be mitigated by disabling the Workspaces module.

“For sites with the Workspaces module enabled, update.php needs to run to ensure a required cache clear. If there is a reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare) it is also advisable to clear these as well.” continues the advisory.

The development team pointed out that the flaw only affects Drupal 8.7.4 release, earlier versions are not affected.

The flaw was reported by the Dave Botsch, the good news is that there is no evidence of cyber attacks exploiting the flaw in the wild. Anyway, security experts believe that threat actors could start exploiting the flaw very soon because it affects default configurations, it is easy to exploit and require minimal user interaction to be triggered.

The U.S. Department of Homeland Security (DHS) has also published a security update for the CVE-2019-6342 flaw.

Drupal websites are privileged targets for hackers, in the past several campaigns leveraged other flaws in the popular CMS. In February, just three days after the CVE-2019-6340 flaw was addressed, threat actors in the wild started exploiting the issue to deliver cryptocurrency miners and other payloads.

In 2018, threat actors compromised many Drupal sites by exploiting other two flaw dubbed Drupalgeddon2 and Drupalgeddon3.

Pierluigi Paganini