Drupal 8 REST Module Remote Code Execution (CVE-2019-6340)
In the recent days Drupal released a security advisory regarding a new highly critical risk vulnerability affecting Drupal 8 instances. The vulnerability may allow unauthenticated users to execute arbitrary code by forcing the vulnerable Drupal 8 instance to unserialize an arbitrary PHP serialized object via a crafted request to aREST API endpoint. The exploited API endpoint isaccessible to unauthenticated users by default on instances wherethe RESTful Web Services module is enabled. Mitigating the vulnerability with BIG-IP ASM BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing PHP code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type or “PHP” System. Figure 1: Exploit blocked with attack signature 200004268 Figure 2: Exploit blocked with attack signature 200004188 Additional Reading https://www.drupal.org/sa-core-2019-003 https://www.ambionics.io/blog/drupal8-rce
