Millions of Drupal websites at risk from failure to patch

Millions of Drupal websites at risk from failure to patch

DrupalYou should assume that your Drupal 7 website has been compromised if you didn’t patch it within just 7 hours of the release of Drupal 7.32 on 15 October 2014.

That’s the shocking warning from Drupal’s own maintainers in an extremely unusual public service announcement, marked Highly Critical:

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Drupal is one of the world’s most popular website Content Management Systems (CMS) which puts the number of sites under scrutiny into the tens of millions.

The warning is a follow-up to an advisory (DRUPAL-SA-CORE-2014-005) issued on 15 October 2014 at 16:02 (UTC) that warned of a vulnerability that allowed attackers to completely compromise a Drupal 7 installation with a very simple SQL injection attack.

Ironically the vulnerability existed within Drupal’s own protection against SQL injection.

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution.

Remember that a CMS is responsible for storing the content of your site in a series of databases, where it can be edited, backed up, tested, reviewed, subjected to change control and, of course, ultimately published in its public-facing form.

So once a Drupal site has been compromised, attackers can “manage” it to suit their own criminal agenda, including changing content, deleting content, and plundering its data.

Owning a site so completely also gives attackers a bridgehead from which they can attempt any number of privilege escalation attacks to gain control of the server it’s running on.

And, of course, once attackers control the content of your website, they can use it as a delivery point for their next wave of malware, inviting unsuspecting victims to visit what they assume is your trustworthy site, only to find it loaded with malicious content you didn’t put there yourself.

According to W3Techs between 1.9% and 5.1% of all websites use Drupal and about 65% of those use Drupal 7 (Drupal’s own usage statistics have it slightly higher at 84%).

At the time the advisory was issued there were roughly 1 billion websites on the internet, so at least 12 million sites needed patching.

With such a large number of targets it was highly likely that this simple and effective exploit would be automated. It always looked like a race against time and it seems that the first attacks followed within a few hours of the patch becoming available.

Today’s announcement warns users that patching now, so long after the event, is not enough. If you haven’t patched your site already then it’s been exposed long enough to have been scanned and turned over many times.

That doesn’t mean your site has definitely been compromised but, as the announcement says, you should proceed under that assumption.

So just how practical was it to get sites patched within 7 hours of the announcement?

Nik Roberts, owner of Drupal web development specialists Versantus, describes just how narrow the margins were on 15 October.

Once you're on a machine it only takes about 30 seconds to apply the patch but we have a mixture of sites hosted by us and others and it took about five or six hours to get 80 websites updated.

Many site owners will never have received the announcement and many that did will have been asleep.

What Drupal badly needs but doesn’t have is an automatic updater that rolls out security updates by default.

Drupal can automatically update modules automatically but it can only warn administrators that new core updates are available – it won’t install them automatically.

There are lots of good reasons for not forcing updates on people but the reality is that without them there will be many millions of site owners who either update too late or who never update at all.

Every Drupal 7 site that was unpatched after 23:00 (UTC) on 15 October 2014 is now a potential “sleeper agent” for cybercrooks.

WordPress, the most popular content management system in the world, took the plunge and rolled out automatic updates a year ago.

It’s time for Drupal to follow suit.