“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC – that is 7 hours after the announcement.”
That alarming statement was part of a ‘public service announcement’ issued by Drupal’s project security team last month. The SA-CORE-2014-005 advisory notice, which was published on October 15th warned users about a highly critical SQL injection vulnerability that had affected Drupal versions older than 7.32. Exploiting the vulnerability does not require authentication and can lead to a complete website compromise.
Now you may wonder why Drupal would issue such a strongly worded statement when it is obvious that it would cause panic. Well, the answer is simple: it’s because of the speed with which attackers began targeting this vulnerability and because a potential compromise can be very hard to detect. Drupal is one of the most world’s most popular content management programmes. According to Mark Stockley, an analyst at security firm Sophos, up to 5.1 per cent of the billion or so sites on the web use Drupal 7 to manage their content. Therefore there are potentially 12 million websites at risk and in urgent need of patching. What Drupal needs in his opinion is an automatic updater that rolls out security updates by default.
So what are the risks to Drupal users? Well, the vulnerability allows hackers to copy all the data on vulnerable websites and potentially use that data maliciously without leaving a trace. What’s more, the vulnerability also allows the installation of multiple back doors in the site’s database, code, file directories and other locations, so even if remedial action is taken, it would still be impossible for an administrator to claim with any degree of confidence that all of the back doors have been identified and secured. More worrying still is that hackers can also use these back doors to attack and compromise other services on the underlying web server, and that, according to Drupal’s security team, means that hackers can expand their access beyond the website itself.
What should websites do to protect themselves against this latest security vulnerability? Well, Drupal is advising all users to try to determine whether their websites were patched by their hosting providers before the attacks began or if those providers successfully blocked all attack attempts. If websites cannot get secure guarantees from hosting providers, then Drupal is advising that websites should be taken offline. All files and databases should then be deleted and restored from backups made prior to October 15th and patched before bringing the sites back online.
Drupal has also advised all users to notify their server administrators that attackers might have potentially compromised other sites and applications hosted on the same servers. Drupal’s security team that ideally the server should be changed completely before restoring a site. However, if restoring from a backup is not possible, then Drupal said that rebuilding the site from scratch is a better alternative than attempting to clean it up, because backdoors can be extremely difficult to find.
What worries security experts most is that Drupal, unlike other content management systems like Joomla and WordPress, is heavily used by large organizations. That brings its own unique problems because large organisations, unlike consumers and small businesses, have certain lengthy and complicated processes and procedures they are obliged to follow when deploying patches, and that can take time. This time delay can lead to further risks and increased vulnerability according to Daniel Cid, the chief technology officer of Web security firm Sucuri. In a blog post he claimed that:
“This is a recipe for disaster if it’s true, and those websites are in fact compromised, they could be leveraged and daisy chained for a massive malware distribution campaign. Take that into consideration with the size and audience of brands and the impact grows exponentially.”
If you are concerned about the escalating security challenges and risk management issues facing your business today and would like to take precautions, then why not speak to Krypsys? Krypsys’ services are focused on helping your business assess its security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.
Whether you’re looking for help with penetration testing and security reviews, or are looking for advice on security compliance and web security solutions, Krypsys can help you. For more information on web security solutions from Barracuda Networks, Check Point, Alien Vault and Netwrix, please contact Krypsys on 0845 474 3031 or [email protected].