Serious Drupal vulnerability alert! How to virtual patch it with BitNinja WAF?
Eniko Toth

Serious Drupal vulnerability alert! How to virtual patch it with BitNinja WAF?

2 days ago, a serious vulnerability, SA-CORE-2018-002 (CVE-2018-7600) has been found in Drupal 6, 7 and 8, which affects over one million websites. All the unpatched Drupals are in serious danger! An attacker can upload backdoors or malware via this newly discovered vulnerability. The vulnerability is scored 21/25 Highly Critical!

Details of the vulnerability:

This vulnerability has been categorized as a Highly Critical issue because…

  • With a simple user visit, the hackers can easily leverage the SA-CORE-2018-002.
  • There is no need for special privilege levels. All users or even anonymous users are enough for a successful exploitation.
  • Non-public data is fully accessible, too.

As you can see, it can have serious impacts on the affected websites, that’s why its risk score is 21/25.

Drupal’s recommendations:

If you have a Drupal website, you should update it immediately. A patch has been released for all major Drupal versions and available on the security announcement page

Virtual patch with BitNinja WAF 2.0:

For BitNinja pro users we have implemented WAF rules to virtual patch this vulnerability. The Drupal Remote Execution Protection is already available in the WAF 2.0! If you want to avoid the dramatic consequences of SA-CORE-2018-002, please enable the 402001 and 402002 rules for the default pattern. The rules will be included in the safe minimum ruleset soon.

First catch 

(updated: 1 April 2018)

BitNinja WAF is an effective shield against this vulnerability. Rule 402002 has already defended the first incident:


This was the first but not last log, we've already caught several attack attempts. 

Were you affected by SA-CORE-2018-002 too? If the 402001 and 402002 rules are enabled on your servers, check out the logs now. Just visit the Network Attacks menu, choose the BL_BN_WAF incident type and look for the similar logs like on the printscreen.

Take care of your servers' safety now!

Share your ideas with us about this article

Previous posts

BitNinja Daily Routine - How to eliminate hackers on your servers completely?
We have collected the best practices of the most successful BitNinja customers. Would you like to completely eliminate hackers on your servers? Follow this guideline to achieve the most with BitNinja and stop all hackers. The initial steps When you first install BitNinja on your server, the best you can do is to enable all modules. All the beta modules are used in many production servers, it is safe in most of the cases to simply enable them all. If you have considerations about enabling all the modules, then here is a list of minimal modules to enable: IP reputation DoS detectio...
6+1 benefits of visiting tech conferences
Our team at BitNinja tries to make a habit of visiting the great community conference called DevConf every year. It is an event hosted by Red Hat in the beautiful city of Brno in the Czech Republic. The presentations and talks take place at the Brno University of Technology (those buildings that are a unique combination of tradition and modern architecture, in my humble opinion). This year I had the opportunity to dedicate almost a whole day listening to presentations and participating in discussions about testing. The first talk I attended in thi...