Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
- 1. Hong Kong Drupal User Group Drupal 7.32 Security Vulnerability Edison Wong 2014 Nov 08th
- 2. Edison Wong ● CEO, PantaRei Design – [email protected] ● Drupal developer & contributor – https://drupal.org/user/33940 ● HKDUG Co-founder – https://groups.drupal.org/drupalhk ● Startup founder – 2009 - PantaRei Design founded – 2010 - YBHK applicant – 2011 - ITF SERAP applicant – 2011 - HKSTP Incu-Tech applicant
- 3. PantaRei Design ● Hong Kong based Free and Open Source Software (FOSS) service provider – Content Management System (CMS) with Drupal – Cloud hosting with Amazon Web Services (AWS) ● Business Partnership – 2012 - AWS Consulting Partner – 2013 - Acquia Partner – 2013 - Atlassian Experts – 2014 - Rackspace Hosting Partner ● FOSS Contributor – 2008 - Hong Kong Drupal User Group Co-founder – 2012 - Drupal Services Provider
- 9. Outline ● What's Happened with Drupal 7.32? ● Technical Details ● OMG! So What Should I Do for It? ● How to Restore My (Hacked) Drupal Site? ● How to Update My Drupal Site? ● Any Follow Up Action Required? ● Is Drupal Secure? ● Security Tips
- 10. What's Happened with Drupal 7.32? ● Vulnerability: SQL Injection ● Security risk: 25/25 (Highly Critical) ● Unless updated or patched to Drupal 7.23 before 2014 Oct 15th, 23:00 UTC (i.e. 7 hours after the announcement), you should assume your sites was compromised. ● Simply updating to Drupal 7.32 will NOT remove backdoors. ● Attackers may have copied all data out of your site and could use it maliciously. ● There may be no trace of the attack.
- 12. Technical Details ● Drupal uses prepared statements in all its SQL queries. To handle IN statements there is an expandArguments() function to expand arrays. ● The function assumes that it is called with an array which has no keys. Example: – db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('user1','user2'))); ● Which results in this SQL Statement with the parameters name_0 = user1 and name_1 = user2: – SELECT * from users where name IN (:name_0, :name_1)
- 13. Technical Details (cont.) ● The Problem occurs, if the array has keys, which are no integers. Example: – db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('test -- ' => 'user1','test' => 'user2'))); ● This results in an exploitable SQL query with parameters :name_test = user2: – SELECT * FROM users WHERE name = :name_test -- , :name_test AND status = 1
- 14. Technical Details (cont.) ● Since Drupal uses PDO, multi-queries are allowed. So this SQL Injection can be used to insert arbitrary data in the database, dump or modify existing data or drop the whole database. ● With the possibility to INSERT arbitrary data into the database an attacker can execute any PHP code through Drupal features with callbacks. ● Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access.
- 16. OMG! So What Should I Do for It? ● Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found. ● The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014.
- 17. How to Restore My (Hacked) Drupal Site? ● Take the website offline by replacing it with a static HTML page ● Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack. ● Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.) ● Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
- 18. How to Update My Drupal Site? ● Update or patch the restored Drupal core code, e.g. – cd public_html – curl -sL https://www.drupal.org/files/issues/SA-CORE- 2014-005-D7.patch | patch -p1 ● Put the restored and patched/updated website back online. ● Manually redo any desired changes made to the website since the date of the restored backup.
- 19. Any Follow Up Action Required? ● Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with. ● While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch.
- 20. Is Drupal Secure? ● All software has security vulnerabilities and Drupal is no exception. In a study by WhiteHat Security, 86% of websites across a variety of platforms both Open Source and proprietary had a serious vulnerability. ● Drupal aims to provide a framework with built-in security features that make it easier for site-builders and developers to build a secure website. ● Over the years the mix of security issues found in Drupal has changed. The OWASP project lists injection issues such as SQL Injection as the #1 issue based on how often it is found and the risk exposure. By providing rich APIs and developer education, Drupal has reduced the frequency of SQL Injection vulnerabilities.
- 22. Security Tips ● Keep Your Drupal Install Updated ● Always Keep Maintained Plug-ins And Modules ● Making Strong Passwords ● Authorize Website Accounts ● Setup Firewall Settings ● Make A Security Strategy For Your Independent Modules ● Think Like A Hacker ● Audit Your Drupal Security ● Get In Touch With the Drupal Community And Security Team
- 23. References ● https://www.drupal.org/drupalsa05FAQ ● https://www.drupal.org/SA-CORE-2014-005 ● https://www.drupal.org/PSA-2014-003 ● https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patc h ● https://www.drupal.org/node/2365547 ● https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre- auth-sql-injection-vulnerability.html ● http://drupal.stackexchange.com/questions/133795/what-kind-of -attacks-does-the-patch-for-sa-core-2014-005-drupal-7-32-prev ent
- 24. Q & A
- 25. I Need More Help! ● Read documents from Drupal Community – https://drupal.org/documentation ● Join Hong Kong Drupal User Group – Event organizing: http://www.meetup.com/drupalhk – Technological discussion: https://groups.drupal.org/drupalhk – Business connection: http://www.linkedin.com/groups/?gid=6644792 – General sharing: https://www.facebook.com/groups/drupalhk ● Contact us for one (1) month free-trial support service – http://pantarei-design.com/services/support/#support-service-plan s
- 26. Thank You ● Please feel free to contact us: – Unit 207, 2/F IC Development Centre, No.6 Science Park West Avenue, Hong Kong Science Park, Shatin, N.T. – +852 3576 3812 – http://pantarei-design.com/ – [email protected]