Assume Every Drupal 7 Site Was Compromised Unless Patched Immediately

A very strange advisory from the Drupal administrators but apparently to be taken seriously by websites which run on Drupal 7. This advisory was issued yesterday by Drupal Security Team against a vulnerability which it said was very HIGH RISK

Second Advisory in a month

Earlier this month, Drupal patched a critical SQL injection vulnerability (CVE-2014-3704) that exists in all Drupal core 7.x versions up to the recently-released 7.32 version, which fixed the issue. You can read about that vulnerability here.

The problem that Drupal came up against was that as soon as the above vulnerability (CVE-2014-3704) was announced on October 17, there were a series of automated attacks exploiting the flaw on the websites that ran on the Drupal content management system (CMS).

The Advisory states :

This Public Service Announcement is a follow up to SA-CORE-2014-005 – Drupal core – SQL injection. This is not an announcement of a new vulnerability in Drupal.Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Assume your site has been compromised

Drupal security team said that even for those Drupal 7 website owners and webmasters who had patched the earlier vulnerability by updating their Drupal 7 to Drupal 7.32 should take caution and assume their Drupal 7 web sites were compromised.

“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” the Drupal Security Team wrote in a security advisory on Oct. 29.

The issue is particularly nasty, as it allows an attacker to exploit the vulnerability without needing an account or duping a user into exposing credentials aka social engineering or phishing.

The Drupal Security Team also warned that attackers may have created backdoors in the database, code, files directory and other locations, and could compromise other services on the server or escalate their access.

Patching Won’t Remove Backdoors

While Drupal security team has advised all website owners and webmasters of Drupal to apply the patch immediately, it’s important to realize that applying the patch will not fix an already compromised website.

“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site,” the advisory explained.

Which means that even after patching the Drupal, the Drupal based website may remain compromised if it was attacked post Oct 17 announcement and the hackers can take advantage the backdoor left open during that compromise. Also it is possible that the potential hackers may have copied site database and could use it maliciously, leaving no trace behind.

“While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find,” the advisory cautioned. “The recommendation is to restore from backup or rebuild from scratch.”

If you believe your Drupal 7 site is compromised, you can contact Drupal security team or take steps as per the Drupal documentation available online. Drupal has also issued additional details and actions to take in response to the vulnerability or a potential compromise which are available here.

Resource : Drupal Advisory