Hong Kong Drupal User Group

Drupal 7.32 Security Vulnerability

Edison Wong2014 Nov 08th

Edison Wong

● CEO, PantaRei Design– hswong3i@pantarei-design.com

● Drupal developer & contributor– https://drupal.org/user/33940

● HKDUG Co-founder– https://groups.drupal.org/drupalhk

● Startup founder– 2009 - PantaRei Design founded

– 2010 - YBHK applicant

– 2011 - ITF SERAP applicant

– 2011 - HKSTP Incu-Tech applicant

PantaRei Design

● Hong Kong based Free and Open Source Software (FOSS) serviceprovider– Content Management System (CMS) with Drupal

– Cloud hosting with Amazon Web Services (AWS)

● Business Partnership– 2012 - AWS Consulting Partner

– 2013 - Acquia Partner

– 2013 - Atlassian Experts

– 2014 - Rackspace Hosting Partner

● FOSS Contributor– 2008 - Hong Kong Drupal User Group Co-founder

– 2012 - Drupal Services Provider

Outline

● What's Happened with Drupal 7.32?● Technical Details● OMG! So What Should I Do for It?● How to Restore My (Hacked) Drupal Site?● How to Update My Drupal Site?● Any Follow Up Action Required?● Is Drupal Secure?● Security Tips

What's Happened with Drupal7.32?

● Vulnerability: SQL Injection● Security risk: 25/25 (Highly Critical)● Unless updated or patched to Drupal 7.23 before 2014 Oct

15th, 23:00 UTC (i.e. 7 hours after the announcement), youshould assume your sites was compromised.

● Simply updating to Drupal 7.32 will NOT remove backdoors.● Attackers may have copied all data out of your site and

could use it maliciously.● There may be no trace of the attack.

Technical Details

● Drupal uses prepared statements in all its SQL queries.To handle IN statements there is an expandArguments() function to expand arrays.

● The function assumes that it is called with an arraywhich has no keys. Example:– db_query("SELECT * FROM {users} where name IN

(:name)", array(':name'=>array('user1','user2')));

● Which results in this SQL Statement with the parametersname_0 = user1 and name_1 = user2:– SELECT * from users where name IN (:name_0, :name_1)

Technical Details (cont.)

● The Problem occurs, if the array has keys,which are no integers. Example:– db_query("SELECT * FROM {users} where name IN

(:name)", array(':name'=>array('test -- ' =>'user1','test' => 'user2')));

● This results in an exploitable SQL query withparameters :name_test = user2:– SELECT * FROM users WHERE name =

:name_test -- , :name_test AND status = 1

Technical Details (cont.)

● Since Drupal uses PDO, multi-queries are allowed. So thisSQL Injection can be used to insert arbitrary data in thedatabase, dump or modify existing data or drop the wholedatabase.

● With the possibility to INSERT arbitrary data into thedatabase an attacker can execute any PHP code throughDrupal features with callbacks.

● Attackers may have created access points for themselves(sometimes called “backdoors”) in the database, code, filesdirectory and other locations. Attackers could compromiseother services on the server or escalate their access.

OMG! So What Should I Do for It?

● Removing a compromised website’s backdoorsis difficult because it is not possible to becertain all backdoors have been found.

● The Drupal security team recommends that youconsult with your hosting provider. If they didnot patch Drupal for you or otherwise block theSQL injection attacks within hours of theannouncement of Oct 15th, 4pm UTC, restoreyour website to a backup from before 15October 2014.

How to Restore My (Hacked)Drupal Site?

● Take the website offline by replacing it with a static HTMLpage

● Notify the server’s administrator emphasizing that other sitesor applications hosted on the same server might have beencompromised via a backdoor installed by the initial attack.

● Consider obtaining a new server, or otherwise remove all thewebsite’s files and database from the server. (Keep a copysafe for later analysis.)

● Restore the website (Drupal files, uploaded files anddatabase) from backups from before 15 October 2014

How to Update My Drupal Site?

● Update or patch the restored Drupal core code, e.g.– cd public_html

– curl -sL https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch | patch -p1

● Put the restored and patched/updated website backonline.

● Manually redo any desired changes made to thewebsite since the date of the restored backup.

Any Follow Up Action Required?

● Audit anything merged from the compromisedwebsite, such as custom code, configuration,files or other artifacts, to confirm they arecorrect and have not been tampered with.

● While recovery without restoring from backupmay be possible, this is not advised becausebackdoors can be extremely difficult to find. Therecommendation is to restore from backup orrebuild from scratch.

Is Drupal Secure?

● All software has security vulnerabilities and Drupal is noexception. In a study by WhiteHat Security, 86% of websitesacross a variety of platforms both Open Source and proprietaryhad a serious vulnerability.

● Drupal aims to provide a framework with built-in security featuresthat make it easier for site-builders and developers to build asecure website.

● Over the years the mix of security issues found in Drupal haschanged. The OWASP project lists injection issues such as SQLInjection as the #1 issue based on how often it is found and therisk exposure. By providing rich APIs and developer education,Drupal has reduced the frequency of SQL Injection vulnerabilities.

Security Tips

● Keep Your Drupal Install Updated● Always Keep Maintained Plug-ins And Modules● Making Strong Passwords● Authorize Website Accounts● Setup Firewall Settings● Make A Security Strategy For Your Independent Modules● Think Like A Hacker● Audit Your Drupal Security● Get In Touch With the Drupal Community And Security Team

References● https://www.drupal.org/drupalsa05FAQ

● https://www.drupal.org/SA-CORE-2014-005

● https://www.drupal.org/PSA-2014-003

● https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch

● https://www.drupal.org/node/2365547

● https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

● http://drupal.stackexchange.com/questions/133795/what-kind-of-attacks-does-the-patch-for-sa-core-2014-005-drupal-7-32-prevent

Q & A

I Need More Help!

● Read documents from Drupal Community– https://drupal.org/documentation

● Join Hong Kong Drupal User Group– Event organizing: http://www.meetup.com/drupalhk

– Technological discussion: https://groups.drupal.org/drupalhk

– Business connection: http://www.linkedin.com/groups/?gid=6644792

– General sharing: https://www.facebook.com/groups/drupalhk

● Contact us for one (1) month free-trial support service– http://pantarei-design.com/services/support/#support-service-plan

s

Thank You

● Please feel free to contact us:– Unit 207, 2/F IC Development Centre, No.6 Science

Park West Avenue, Hong Kong Science Park,Shatin, N.T.

– +852 3576 3812

– http://pantarei-design.com/

– sales@pantarei-design.com