Security Hot Seat: Unpatched Drupal 7 Sites Compromised
The Open Source CMS Leader in the Hot Seat after Announcement of Widespread Compromise
This past week, Drupal issued a public service announcement which stated that all Drupal 7 sites that were not patched within 7 hours of an October 15 vulnerability disclosure should assume that they have been compromised. According to Sophos, an estimated 12 million sites have been affected.
Drupal's PSA was a follow-up to their previous security announcement stating that a SQL injection vulnerability had been discovered in the Drupal 7 database abstraction API. Drupal rated the flaw as highly critical, meaning that it could be remotely exploited to compromise systems. If exploited, the vulnerability could enable privilege escalation, arbitrary PHP execution, and other attacks. The announcement included a patch to fix the flaw, Drupal 7.32.
Researchers started finding exploits in the wild within hours of the disclosure. Seven hours after Drupal issued the PSA, automated exploits began compromising sites all over the world. Based on the scale of attacks and the number of Drupal 7 sites worldwide, the number of sites affected is likely in the tens of millions.
The announcement shocked the industry; while vulnerability disclosures and patch releases are commonplace for software manufacturers, it is far less common for those announcements to suggest that millions of current deployments have been compromised. According to Drupal.org, many high traffic websites use Drupal, including the White House, The Economist, NBC, and more.
The Drupal security team has advised all Drupal sites to update to 7.32 immediately, but warns that patching alone may not be enough. Sites that failed to patch within 7 hours of the disclosure could still be compromised, even if they have patched since. Drupal is recommending that all sites restore to pre-October 15 versions, then patch and continue to investigate for signs of attack or compromise. Their security team warns that some sites may require server replacements or complete rebuilds. To their credit, the team has been quick to respond to the incident, providing users with full disclosure and recommendations for damage control and recovery. The company also maintains a "Your Drupal site got hacked. Now what?" incident response guide and has created an FAQ to help users safely patch and secure their sites.
Of course, this is not the first instance of a highly critical vulnerability discovery in widely used open source software. Both the Heartbleed and Shellshock vulnerabilities discovered earlier in the year had widespread reach due to the popularity of OpenSSL and Bash. Last year saw open source CMS WordPress' switch to an automatic update model to keep up with vulnerabilities and their required fixes.
These incidents highlight many of the well known issues that plague security teams. Drupal's is another case where the time to compromise for an attack is hours or less, meaning that vulnerability and patch management as well as incident response must be even more agile to stay secure. According to the 2013 Verizon Data Breach Investigations Report, over 80% of compromises are carried out in days or less. Less than 20% of those incidents are detected within the same timespan. As attacks get faster and discovery lags behind, automated exploits could continue to cause widespread compromise.