Every Drupal 7 site compromised unless patched : Drupal Advisory

Assume Every Drupal 7 Site Was Compromised Unless Patched Immediately

A very strange advisory from the Drupal administrators but apparently to be taken seriously by websites which run on Drupal 7. This advisory was issued yesterday by Drupal Security Team against a vulnerability which it said was very HIGH RISK

Second Advisory in a month

Earlier this month, Drupal patched a critical SQL injection vulnerability (CVE-2014-3704) that exists in all Drupal core 7.x versions up to the recently-released 7.32 version, which fixed the issue. You can read about that vulnerability here.

The problem that Drupal came up against was that as soon as the above vulnerability (CVE-2014-3704) was announced on October 17, there were a series of automated attacks exploiting the flaw on the websites that ran on the Drupal content management system (CMS).

The Advisory states :

This Public Service Announcement is a follow up to SA-CORE-2014-005 – Drupal core – SQL injection. This is not an announcement of a new vulnerability in Drupal.Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Assume your site has been compromised

Drupal security team said that even for those Drupal 7 website owners and webmasters who had patched the earlier vulnerability by updating their Drupal 7 to Drupal 7.32 should take caution and assume their Drupal 7 web sites were compromised.

“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” the Drupal Security Team wrote in a security advisory on Oct. 29.

The issue is particularly nasty, as it allows an attacker to exploit the vulnerability without needing an account or duping a user into exposing credentials aka social engineering or phishing.

The Drupal Security Team also warned that attackers may have created backdoors in the database, code, files directory and other locations, and could compromise other services on the server or escalate their access.

Patching Won’t Remove Backdoors

While Drupal security team has advised all website owners and webmasters of Drupal to apply the patch immediately, it’s important to realize that applying the patch will not fix an already compromised website.

“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site,” the advisory explained.

Which means that even after patching the Drupal, the Drupal based website may remain compromised if it was attacked post Oct 17 announcement and the hackers can take advantage the backdoor left open during that compromise. Also it is possible that the potential hackers may have copied site database and could use it maliciously, leaving no trace behind.

“While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find,” the advisory cautioned. “The recommendation is to restore from backup or rebuild from scratch.”

If you believe your Drupal 7 site is compromised, you can contact Drupal security team or take steps as per the Drupal documentation available online. Drupal has also issued additional details and actions to take in response to the vulnerability or a potential compromise which are available here.

Resource : Drupal Advisory


Recent Posts

Apple’s New Patent Hints At In-Display Selfie Camera

Next Apple iPhone may have a hole in its display, patent reveals Apple who started the “notch” design standard that…

8 hours ago

Cloudflare launches its DNS service for Android and iOS smartphones

Cloudflare's privacy-focused DNS service now available on iOS and Android Earlier this year, Cloudfare Inc., a website performance and…

9 hours ago

NVIDIA unveils the Quadro RTX 4000 GPU with 2,304 CUDA Cores, 8GB GDDR6 memory

NVIDIA announces mid-range Quadro RTX 4000 with Turing GPU, 2304 Cores and 8 GB VRAM NVIDIA announced its new Quadro RTX 4000…

11 hours ago

Facebook is the least-trusted major tech company- study

Facebook Is the Least Trusted Major Tech Company Among Americans For Protecting Personal Data, Suggests Polls Facebook, the social networking…

1 day ago

10 Best Free Sports Streaming Sites

A majority of people still rely on either cable or satellite-based television services for watching live sports or for streaming. Surprisingly there…

1 day ago

How to create your own WhatsApp stickers on Android smartphones

Create your own custom stickers for WhatsApp, here’s how WhatsApp, the Facebook-owned instant messaging platform, had last week rolled out a new feature…

2 days ago