A very strange advisory from the Drupal administrators but apparently to be taken seriously by websites which run on Drupal 7. This advisory was issued yesterday by Drupal Security Team against a vulnerability which it said was very HIGH RISK
Earlier this month, Drupal patched a critical SQL injection vulnerability (CVE-2014-3704) that exists in all Drupal core 7.x versions up to the recently-released 7.32 version, which fixed the issue. You can read about that vulnerability here.
The problem that Drupal came up against was that as soon as the above vulnerability (CVE-2014-3704) was announced on October 17, there were a series of automated attacks exploiting the flaw on the websites that ran on the Drupal content management system (CMS).
The Advisory states :
This Public Service Announcement is a follow up to SA-CORE-2014-005 – Drupal core – SQL injection. This is not an announcement of a new vulnerability in Drupal.Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
Drupal security team said that even for those Drupal 7 website owners and webmasters who had patched the earlier vulnerability by updating their Drupal 7 to Drupal 7.32 should take caution and assume their Drupal 7 web sites were compromised.
“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” the Drupal Security Team wrote in a security advisory on Oct. 29.
The issue is particularly nasty, as it allows an attacker to exploit the vulnerability without needing an account or duping a user into exposing credentials aka social engineering or phishing.
The Drupal Security Team also warned that attackers may have created backdoors in the database, code, files directory and other locations, and could compromise other services on the server or escalate their access.
While Drupal security team has advised all website owners and webmasters of Drupal to apply the patch immediately, it’s important to realize that applying the patch will not fix an already compromised website.
“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site,” the advisory explained.
Which means that even after patching the Drupal, the Drupal based website may remain compromised if it was attacked post Oct 17 announcement and the hackers can take advantage the backdoor left open during that compromise. Also it is possible that the potential hackers may have copied site database and could use it maliciously, leaving no trace behind.
“While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find,” the advisory cautioned. “The recommendation is to restore from backup or rebuild from scratch.”
If you believe your Drupal 7 site is compromised, you can contact Drupal security team or take steps as per the Drupal documentation available online. Drupal has also issued additional details and actions to take in response to the vulnerability or a potential compromise which are available here.
Resource : Drupal Advisory
Next Apple iPhone may have a hole in its display, patent reveals Apple who started the “notch” design standard that…
Cloudflare's privacy-focused 22.214.171.124 DNS service now available on iOS and Android Earlier this year, Cloudfare Inc., a website performance and…
NVIDIA announces mid-range Quadro RTX 4000 with Turing GPU, 2304 Cores and 8 GB VRAM NVIDIA announced its new Quadro RTX 4000…
Facebook Is the Least Trusted Major Tech Company Among Americans For Protecting Personal Data, Suggests Polls Facebook, the social networking…
Create your own custom stickers for WhatsApp, here’s how WhatsApp, the Facebook-owned instant messaging platform, had last week rolled out a new feature…