The SpiderLabs® WAF team have released commercial rules updates for ModSecurity Web Application Firewall (WAF) v2.9 and above. These rules' purpose is to protect against new emerging attacks that target vulnerabilities in public software.
For this release we are highlighting virtual patches for a Remote Code Execution on Drupal 7.x/8.x SA-CORE-2018-002 ( CVE-2018-7600). This issue also known as "Drupalgeddon2" could allow an attacker to perform Remote Code Execution attacks.
The issue happens due to Drupal usually accepting parameters as array objects. This allows a user passing an array object to Drupal with a keyname containing a forms "payload". The vulnerability leads Drupal to blindly process the malicious payload. The Drupal forms API reference suggests that a number of keynames could be used as payloads, depending on the payload the application could be compromised, and Remote Code Execution is possible. SpiderLabs WAF Research Team have developed a virtual patch for Commercial Rules customers since the day that this vulnerability became widely public.
Even though we are currently not aware of publicly working PoC code and we have yet to see exploitation in the wild, this vulnerability still ranks with the highest level of risk as remote and unauthenticated attacks is possible leading to full server compromise by chaining it with other techniques.
ModSecurity Rules from Trustwave SpiderLabs include custom virtual patches for public vulnerabilities.