The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a critical security flaw in the Drupal content management system (CMS) following confirmation of active exploitation in the wild. Tracked as CVE-2024-3129, this SQL injection vulnerability poses a severe risk to data integrity and server security. Given that CISA has added this to its Known Exploited Vulnerabilities (KEV) catalog under Binding Operational Directive (BOD) 22-01, the urgency for remediation is absolute. Defenders must treat this not just as a routine update, but as an active incident hunt, as successful exploitation allows attackers to bypass security controls, exfiltrate sensitive data, or potentially achieve remote code execution (RCE) on the underlying host.
Technical Analysis
- Affected Products: Drupal Core
- Affected Versions:
- 9.5.x versions prior to 9.5.11
- 10.2.x versions prior to 10.2.4
- 10.3.x versions prior to 10.3.0
- CVE Identifier: CVE-2024-3129
- CVSS Score: 7.5 (High) / 5.3 (Medium) - Note: While base scores vary, the presence of in-the-wild exploitation elevates the practical severity to Critical.
- Vulnerability Type: SQL Injection
- Attack Vector: Network
- Exploitation Status: Actively Exploited (Confirmed by CISA KEV)
How the Vulnerability Works
CVE-2024-3129 stems from insufficient sanitization of user-supplied data in specific API endpoints or form handling routines within Drupal Core. By crafting malicious HTTP requests containing SQL meta-characters, an unauthenticated attacker can manipulate the backend database queries. This violates the principle of separation between data and control logic. In a typical attack chain, the actor injects a UNION SELECT or similar payload to dump the users table (harvesting admin credentials) or modifies the database to install a persistence mechanism (e.g., a malicious module or web shell).
Detection & Response
The following detection mechanisms focus on identifying the exploitation attempt via web logs and the resulting post-exploitation activity (web shell execution). Since the initial attack is web-based, high-fidelity detection relies heavily on WAF logs or HTTP access logs ingested into your SIEM.
SIGMA Rules
---
title: Potential SQL Injection via Drupal Core CVE-2024-3129
id: 9a5c1f2e-4d3b-11ef-9454-0242ac120002
status: experimental
description: Detects potential SQL injection attempts targeting Drupal vulnerabilities by identifying common SQLi syntax in URI query strings.
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.drupal.org/sa-core-2024-002
author: Security Arsenal
date: 2024/05/15
tags:
- attack.initial_access
- attack.t1190
logsource:
category: web
product: apache
detection:
selection:
c_uri|contains:
- 'UNION SELECT'
- 'OR 1=1'
- 'AND 1=1'
- 'information_schema'
- 'char('
- 'waitfor delay'
- 'benchmark('
- 'sleep('
condition: selection
falsepositives:
- Legitimate developer testing activity
- Scanning from authorized vulnerability scanners
level: high
---
title: Web Server Spawning Shell on Linux (Drupal Compromise)
id: 9a5c1f2e-4d3b-11ef-9454-0242ac120003
status: experimental
description: Detects potential web shell activity where the web server process (www-data, apache, nginx) spawns a shell (bash/sh), common after successful SQLi exploitation.
references:
- https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2024/05/15
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/apache2'
- '/httpd'
- '/nginx'
- '/php-fpm'
Image|endswith:
- '/bash'
- '/sh'
- '/zsh'
- '/python'
- '/perl'
condition: selection
falsepositives:
- Legitimate administrative scripts executed by web server
- Server monitoring plugins
level: critical
KQL (Microsoft Sentinel / Defender)
// Hunt for SQL Injection patterns in Syslog/CEF data (Drupal Access Logs)
// Adjust the SyslogMessage field based on your specific log parser configuration
Syslog
| where Facility in ('web', 'access')
| extend ParsedMessage = parse_csv(SyslogMessage)
| extend Uri = tostring(ParsedMessage[6]), Method = tostring(ParsedMessage[5])
| where Method in ('GET', 'POST')
| where Uri has "UNION" or Uri has "SELECT" or Uri has "information_schema" or Uri has "WAITFOR" or Uri has "sleep("
| project TimeGenerated, ComputerIP, ProcessName, SyslogMessage, Uri
| limit 100
Velociraptor VQL
-- Hunt for recently modified PHP files in Drupal directories which may indicate web shell upload
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='/**/sites/*/files/*.php')
WHERE Mtime > now() - 7d
-- Exclude safe standard drupal files if necessary, though this directory is for uploads
AND Size > 0
-- Hunt for web server processes spawning suspicious children
SELECT Parent.Name AS ParentProcess, Name, CommandLine, Pid, Exe
FROM pslist()
WHERE Parent.Name =~ 'apache' OR Parent.Name =~ 'httpd' OR Parent.Name =~ 'nginx'
AND Name =~ 'bash' OR Name =~ 'sh' OR Name =~ 'perl' OR Name =~ 'python'
Remediation Script (Bash)
#!/bin/bash
# Drupal CVE-2024-3129 Remediation Script
# Checks version and applies updates using Composer (recommended) or Drush
echo "[+] Checking for Drupal CVE-2024-3129 vulnerability..."
# Detect if running as root or with sudo
if [ "$(id -u)" -ne 0 ]; then
echo "[-] This script must be run as root or with sudo." >&2
exit 1
fi
# Define Drupal directory (Change this if different)
DRUPAL_ROOT="/var/www/html"
if [ ! -d "$DRUPAL_ROOT" ]; then
echo "[-] Drupal root not found at $DRUPAL_ROOT. Please update the script."
exit 1
fi
cd "$DRUPAL_ROOT" || exit
echo "[+] Checking current Drupal version..."
if command -v drush &> /dev/null; then
CURRENT_VERSION=$(drush status --format= | jq -r '.drupal-version')
echo "[+] Current Drupal Version: $CURRENT_VERSION"
# Check for updates
echo "[+] Running security updates via Drush..."
drush pm-update security --no-interaction
# Clear caches
echo "[+] Clearing Drupal caches..."
drush cr all
echo "[+] Update complete. Please verify the version is now 9.5.11+, 10.2.4+, or 10.3.0+."
else
echo "[!] Drush not found. Attempting Composer update..."
if command -v composer &> /dev/null; then
sudo -u www-data composer update drupal/core --with-dependencies
echo "[+] Composer update executed. Verify manually."
else
echo "[-] Neither Drush nor Composer found. Manual update required."
exit 1
fi
fi
Remediation
To mitigate the risk associated with CVE-2024-3129, organizations must upgrade their Drupal Core instances to the latest patched releases immediately. The exploitation of this vulnerability is trivial and requires no authentication, making it a prime target for automated botnets.
Patched Versions:
- Upgrade to Drupal 9.5.11
- Upgrade to Drupal 10.2.4
- Upgrade to Drupal 10.3.0 or later
Action Plan:
- Backup: Perform a full backup of the database and file system before updating.
- Update: Apply the updates immediately via
composer updateordrush pm-update. - Scan: Run a web shell scanner (e.g., Linux Malware Detect) on the
sites/directories to ensure compromise has not already occurred. - CISA Deadline: Federal Civilian Executive Branch (FCEB) agencies must patch by the deadline specified in the CISA directive (typically within 3 weeks for KEV additions, though emergency directives may have shorter windows).
- Vendor Advisory: Review the full security advisory at Drupal.org SA-CORE-2024-002.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.