[Security-news] Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003
security-news at drupal.org
security-news at drupal.org
Wed Oct 29 17:30:17 UTC 2014
View online: https://www.drupal.org/PSA-2014-003
* Advisory ID: DRUPAL-PSA-2014-003
* Project: Drupal core [1]
* Version: 7.x
* Date: 2014-October-29
* Security risk: 25/25 ( Highly Critical)
AC:None/A:None/CI:All/II:All/E:Exploit/TD:All [2]
-------- DESCRIPTION
---------------------------------------------------------
This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal
core - SQL injection [3]. This is not an announcement of a new vulnerability
in Drupal.
Automated attacks began compromising Drupal 7 websites that were not patched
or updated to Drupal 7.32 within hours of the announcement of
SA-CORE-2014-005 - Drupal core - SQL injection [4]. You should proceed under
the assumption that every Drupal 7 website was compromised unless updated or
patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
*Simply updating to Drupal 7.32 will not remove backdoors.*
If you have not updated or applied this patch [5], do so immediately, then
continue reading this announcement; updating to version 7.32 or applying the
patch fixes the vulnerability but does not fix an already compromised
website. If you find that your site is already patched but you didn’t do
it, that can be a symptom that the site was compromised - some attacks have
applied the patch as a way to guarantee they are the only attacker in control
of the site.
.... Data and damage control
Attackers may have copied all data out of your site and could use it
maliciously. There may be no trace of the attack.
Take a look at our help documentation, ”Your Drupal site got hacked, now
what” [6]
.... Recovery
Attackers may have created access points for themselves (sometimes called
“backdoors”) in the database, code, files directory and other locations.
Attackers could compromise other services on the server or escalate their
access.
Removing a compromised website’s backdoors is difficult because it is not
possible to be certain all backdoors have been found.
The Drupal security team recommends that you consult with your hosting
provider. If they did not patch Drupal for you or otherwise block the SQL
injection attacks within hours of the announcement of Oct 15th, 4pm UTC,
restore your website to a backup from before 15 October 2014:
1) Take the website offline by replacing it with a static HTML page
2) Notify the server’s administrator emphasizing that other sites or
applications hosted on the same server might have been compromised via a
backdoor installed by the initial attack
3) Consider obtaining a new server, or otherwise remove all the website’s
files and database from the server. (Keep a copy safe for later
analysis.)
4) Restore the website (Drupal files, uploaded files and database) from
backups from before 15 October 2014
5) Update or patch the restored Drupal core code
6) Put the restored and patched/updated website back online
7) Manually redo any desired changes made to the website since the date of
the restored backup
8) Audit anything merged from the compromised website, such as custom code,
configuration, files or other artifacts, to confirm they are correct and
have not been tampered with.
While recovery without restoring from backup may be possible, this is not
advised because backdoors can be extremely difficult to find. The
recommendation is to restore from backup or rebuild from scratch.
For more information, please see our FAQ on SA-CORE-2014-005 [7].
-------- WRITTEN BY
----------------------------------------------------------
* Michael Hess [8] of the Drupal Security Team
* Bevan Rudge [9]
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [10] of the Drupal Security Team
* Stéphane Corlosquet [11] of the Drupal Security Team
* Greg Knaddison [12] of the Drupal Security Team
* Rick Manelius [13] of the Drupal Security Team
* Peter Wolanin [14] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
We've prepared a FAQ on this release. Read more at FAQ on SA-CORE-2014-005
[15].
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [16].
Learn more about the Drupal Security team and their policies [17], writing
secure code for Drupal [18], and securing your site [19].
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/SA-CORE-2014-005
[4] https://www.drupal.org/SA-CORE-2014-005
[5] https://www.drupal.org/SA-CORE-2014-005
[6] https://www.drupal.org/node/2365547
[7] https://www.drupal.org/drupalsa05FAQ
[8] https://www.drupal.org/u/mlhess
[9] https://www.drupal.org/u/Bevan
[10] https://www.drupal.org/u/mlhess
[11] https://www.drupal.org/u/scor
[12] https://www.drupal.org/u/greggles
[13] https://www.drupal.org/u/rickmanelius
[14] https://www.drupal.org/u/pwolanin
[15] https://www.drupal.org/drupalsa05FAQ
[16] https://www.drupal.org/contact
[17] https://www.drupal.org/security-team
[18] https://www.drupal.org/writing-secure-code
[19] https://www.drupal.org/security/secure-configuration
More information about the Security-news
mailing list