Drupal Vulnerability

Current event – 1.1 of post

This is a current event and as such the blog post is subject to change over the course of a couple of days as we performed further supplementary research and analysis by NCC Group’s Cyber Defence Operations and Security Consulting divisions.

v1.1 – updated to include initial Snort signature for user table modification
v1.0 – initial version

Background

Yesterday CVE-2014-3704 was released with corresponding patch for Drupal 7 which is a very common open source content management system. The vulnerability is due to a bug in the code which is intended to mitigate SQL Injection vulnerabilities by the use of prepared statements.

However, instead of mitigating this class of vulnerability it instead introduced the risk of unauthenticated SQL Injection allowing for arbitrary database modifications including the resetting of the administrative password.

It should be noted that access to the Drupal administrative interface is not required to exploit this vulnerability. As such it is not sufficient to put access controls around the administrative interface to mitigate this issue instead of patching.

The existence of this vulnerability has been publically known since at least November 29, 2013 in the Drupal bug tracker.

Further detailed technical analysis is available from Stefan Host.

Affected Systems

Any Drupal 7 installation prior to 7.32 is affected by this vulnerability.

Impact of Exploitation

Successful exploitation of this vulnerability can result in:

  • Administrative level access to the Drupal installation.
  • Compromise of the webserver that Drupal is running upon.
  • Ability to perform arbitrary modifications to databases with the permissions that the Drupal deployment uses.
  • Modification of content including the addition of malicious code designed to attack users of the websites whose content is managed by the Drupal deployment.

Recommendations to Customers

NCC Group recommends that customers should in the short term:

  • Identify all Internet exposed systems which are running Drupal 7 and patch immediately
  • Identify all internal systems which are running Drupal 7 and patch within the next week.

Active Exploitation

There are proof-of-concept exploits available which resets the administrative password and we expect active exploitation to increase steadily over the course of the next few hours.

Detection Signatures

The following Snort rule has been produced by NCC Group’s Cyber Defence Operations team to alert on attempts to modify the Druple users table based on the current public exploits:

alert tcp any any any 80 (content: "POST"; http_method; content: "update|2B|users|2B|set"; http_client_body; sid:6000001;)

However, it should be noted as the underlying issue is SQL injection the payload may greatly vary and the exploits become more sophisticated.

Further Updates

As further information becomes available we will update this post during the day.

Published date:  16 October 2014

Written by:  Ollie Whitehouse