BitNinja WAF protects against the latest Drupal vulnerability (CVE-2019-6340)
Eniko Toth

BitNinja WAF protects against the latest Drupal vulnerability (CVE-2019-6340)

The social media and the cybersecurity sites were blowing up when Drupal published their latest vulnerability (SA-CORE-2019-003). It’s not a surprise that this remote code execution vulnerability got a highly critical label, as hackers could easily hack your Drupal 8 websites.

But BitNinja users shouldn’t have to worry for any minute, as they were protected by our WAF from the very beginning of this RCE flaw. We have already seen some attempts caught by the rule 933170, so hackers didn’t wait a lot to exploit the CVE-2019-6340.

How are hackers trying to exploit the latest Drupal vulnerability?

Cybercriminals are sending the '_format=hal_json' GET request then inject a serialized PHP object in the POST data. This technique will only work if the REST module is enabled.

If the hackers succeed, they can easily exploit this RCE vulnerability to run any malicious code and hack the vulnerable websites.

But putting effort to attack BitNinja protected servers is useless… The Ninja Community was already protected when the Drupal published this vulnerability because the 933170 WAF rule (which is part of the safe minimum ruleset) will stop the CVE-2019-6340 by filtering the serialized object injection.

We can see the signs that the hackers have already started to exploit the flaw. Let’s take a closer look at one of the stopped attacks:

As we mentioned, the 933170 rule, which protects you against CVE-2019-6340 is already enabled in the safe minimum ruleset, so take it easy, hackers won’t be able to hack your sites.

BitNinja against zero-day attacks

This wasn’t the first time when Drupal published a highly critical vulnerability. We can still remember the Drupalgeddon, which was also patched by us instantly. But there were other zero-days, such as Meltdown&Spectre, MODX and phpMyAdmin vulnerabilities which were all patched by BitNinja.

As you can see, we are always trying to patch zero-day attacks the most quickly, so if you'd like to have an ultimate weapon against zero-day attacks, don’t waste your time! Join our Ninja Community and make sure that WAF is activated on your servers.

Share your ideas with us about this article

Previous posts

GXHLGSL.txt file uploader botnet –Discovered by BitNinja FtpCaptcha
At the beginning of the year we released our brand-new FtpCaptcha module, and of course, we were so excited about receiving the first incidents. However, we didn’t think that the very first logs will be such eye-catching. We detected a not so well-known botnet, and we didn’t find an article about it (only a few forum topics), so we summarized everything that you need to know about it. Test the ability to upload a file This botnet is trying to upload a file named GXHLGSL.txt, which contains only this: TEST. If it was a vulnerability scanner, there would provide some description about it o...
Botnet renewal – Here is the February botnet
Do you remember the new version of the Hello Peppa botnet? At the end of 2018, it was welcomed into 2019 slightly early, and the January botnet started to spread. Well, it wouldn’t be funny, if the botnet would still send the „J4nur4ry” in the Post Data when we are already over January… So, here is the February botnet! Despite the January botnet, this one was accurate and started on 1st February. The pike was on the next day, as you can see it from the chart below.   After that, it looked like it moved back, but on 17th Feb there was another pike. Let’s look closely to o...