Security Advisory: Drupal Core SQL Injection

Description:

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. Vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.

Officially, the Vulnerability is documented as CVE-2014-3704 & SA-CORE-2014-005. Versions Affected – Drupal core 7.x versions prior to 7.32

Impact:

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC that is 7 hours after the announcement.

Mitigation:

Install the latest version:

  • If you use Drupal 7.x, upgrade to Drupal core 7.32.
  • If you are unable to update to Drupal 7.32 you can apply this patch to Drupal’s database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.

Even if you applied the patch, you need to be aware that this will not overwrite any backdoors that attackers may have already installed.

Follow the steps for safe patching:

  • Take the website offline by replacing it with a static HTML page
  • Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack
  • Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
  • Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
  • Update or patch the restored Drupal core code.
  • Put the restored and patched/updated website back online
  • Manually redo any desired changes made to the website since the date of the restored backup
  • Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.

References:

  1. https://www.drupal.org/SA-CORE-2014-005
  2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
Share this entry

0 Comments

Leave a Comment