The developers of the open source Drupal content management system recently warned that a SQL injection vulnerability affecting all Drupal 7.x versions prior to 7.32 may have exposed hundreds of thousands of websites to attack.
According to Drupal’s own statistics, almost a million websites currently use Drupal 7. Drupal 6.x is not affected by the flaw.
As the initial Drupal security advisory explains, “Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or attacks.”
A followup advisory notes that automated attacks began compromising Drupal 7 websites within hours of the announcement of the flaw, and warned that simply updating to Drupal 7.32 will not remove backdoors.
“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is seven hours after the announcement,” the advisory states. “If you have not updated or applied this patch, do so immediately.”
“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised — some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site,” the advisory adds.
Users who didn’t upgrade within hours of the announcement of the patch are advised to do the following:
- Take the website offline by replacing it with a static HTML page
- Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack
- Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
- Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
- Update or patch the restored Drupal core code
- Put the restored and patched/updated website back online
- Manually redo any desired changes made to the website since the date of the restored backup
- Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.
Malwarebytes Labs senior security researcher Jerome Segura told eSecurity Planet by email that the speed with which this flaw was exploited is alarming. “There are a lot of talks in the security industry about responsible disclosure to give time to software manufacturers to issue a patch for vulnerabilities before publicly talking about them,” he said. “We all know that as soon as details are available, the bad guys are hard at work trying to exploit the newly discovered flaws. But in this particular example it does not even matter, as criminals were already hacking away in a record breaking time.”
In many cases, Segura noted, it simply wouldn’t have been possible for system administrators to update their systems in time to block any attacks. “The best defense in this arms race is about protecting your properties in various ways that complement each other,” he said. “While patching is important, there are other methods to defend against such attacks, for example by hardening your website against SQL injections, brute force attacks, and also by deploying a Web application firewall which can detect malicious behavior and stop them before they reach your internal applications.”