Welcome to WebmasterWorld Guest from 54.166.172.33

Forum Moderators: open

Featured Home Page Discussion

Important Drupal Release on March 28

     
4:52 pm on Mar 25, 2018 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8577
votes: 254


This makes it sound as bad as Drupalgeddon in 2014 when a vulnerability allowed access to the server (not just Drupal), meaning that the only way to be sure an unpatched site was safe was to rebuild the server.

Make sure you have your backups before the patch is released at 18:00 UTC on March 28. Then patch as soon as you can.

* Advisory ID: DRUPAL-PSA-2018-001
* Project: Drupal Core
* Version: 7.x, 8.x
* Date: 2018-March-21

-------- DESCRIPTION
---------------------------------------------------------

There will be a security release of *Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on
March 28th 2018 between 18:00 - 19:30 UTC*, one week from the publication of
this document, that will fix a highly critical security vulnerability. The
Drupal Security Team urges you to reserve time for core updates at that time
because exploits /might/ be developed within hours or days. Security release
announcements will appear on the Drupal.org security advisory page [1].

While Drupal 8.3.x and 8.4.x are no longer supported and we don't normally
provide security releases for unsupported minor releases [2], given the
potential severity of this issue, we /are/ providing 8.3.x and 8.4.x releases
that includes the fix for sites which have not yet had a chance to update to
8.5.0. The Drupal security team strongly recommends the following:
* Sites on 8.3.x should immediately update to the 8.3.x release that willbe
provided in the advisory, and then plan to update to the latest 8.5.x
security release in the next month.
* Sites on 8.4.x should immediately update to the 8.4.x release that willbe
provided in the advisory, and then plan to update to the latest 8.5.x
security release in the next month.
* Sites on 7.x or 8.5.x can immediately update when the advisory isreleased
using the normal procedure.

The security advisory will list the appropriate version numbers for all three
Drupal 8 branches. Your site's update report page will recommend the 8.5.x
release even if you are on 8.3.x or 8.4.x, but temporarily updating to the
provided backport for your site's current version will ensure you can update
quickly without the possible side effects of a minor version update.

The Security Team or any other party is not able to release any more
information about this vulnerability until the announcement is made. The
announcement will be made public at www.drupal.org/security [3], over
Twitter, and in email for those who have subscribed to our email list. To
subscribe to the email list: log in on drupal.org, go to your user profile
page and subscribe to the security newsletter on the Edit My newsletters
tab.

Journalists interested in covering the story are encouraged to email
security-press@drupal.org to be sure they will get a copy of the
journalist-focused release. The Security Team will release a
journalist-focused summary email at the same time as the new code release and
advisory.

If you find a security issue, please report it at
[drupal.org...] [4].

[1] [drupal.org...]
[2] [drupal.org...]
[3] www.drupal.org/security
[4] [drupal.org...]
5:34 pm on Mar 25, 2018 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 263
votes: 20


That sounds like an impending nuclear attack. Thanks for the heads up.
6:21 pm on Mar 25, 2018 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8577
votes: 254


>>impending nuclear attack

If it's anything like Drupalgeddon, that's a fair characterization. The tough thing about Drupalgeddon is within a few hours of being released, they had changed the exploit to deliver whatever payload they wanted outside of Drupal root, and then erase any signs of the exploit. So if you didn't patch fast, you might not even know the server was compromised.

Some huge percentage of Drupal sites were hit within the first couple of hours and then tons more in that first day.

I got hit in the first couple of hours with that one, so it left traces, but there was no way to know whether or not you got them all. I had to rebuild a VPS from backups, but not all my backups were perfect... I learned from that. Now I take a manual image of the VPS when I make major changes and a daily image. If I get hit this time, I'll just destroy the VPS instance and spin up a new one.
4:32 pm on Mar 29, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 10, 2005
posts:5742
votes: 109


Thanks for the heads up. I patched my sites yesterday.

I feel like I should proudly wear an "I patched" sticker to help raise awareness, but most people would probably just think I'm an ex-smoker."
5:24 pm on Mar 29, 2018 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 263
votes: 20


I feel like I should proudly wear an "I patched" sticker to help raise awareness, but most people would probably just think I'm an ex-smoker.


Or a motorcycle gang member!
5:17 am on Mar 30, 2018 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8577
votes: 254


Patches went smoothly. I haven't heard any reports of sites getting hit. Not like Drupalgeddon when huge percentages of Drupal sites got nailed in the first few hours
1:35 pm on Mar 30, 2018 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 263
votes: 20


Yes, the patch was a non-event, which in the software world is a very good thing!
7:01 pm on Apr 3, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Feb 25, 2004
posts:989
votes: 45


I'd appreciate it is someone would give an opinion on if/how much the vulnerability got exploited in the wild.

I updated core but it was a full 32 hours after its release. Is there any way to check or any reason to be especially concerned about being hacked? (My sites are informational. No personal information collected, like credit cards and such. I would think my type of site would be low on a hackers list anyway.)
8:01 pm on Apr 3, 2018 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8577
votes: 254


I've looked and haven't found any reports of sites getting taken down by this exploit. I expect you're good.

One thing is that after an exploit, it can be hard to do forensics. Having version control for source code is a good start.

What I did to prep is

1. the code part
Do a complete update of core and contrib modules to be up to date and then do a git commit. Then I can just run a "git status" and see whether any files have been changed.

2. The user files part
This is harder and it depends on how active the site is. But you can, on *nix, use the find command to find all files modified since a certain time. In your case, you would want to look for any files changed in the 32 hours between when the exploit was announced and when you patched. This only works for a situation like this one where it was a zero-day exploit. If the exploit has been in the wild for an unknown amount of time, then you can't do anything.

3. The database part
I didn't do any forensics here to be honest, but I did grab a DB dump the day before and in general I have my sites set to regularly back up the DB in some way. If something looked awry, I would be able to compare the databases before and after, but this is super hard because all sorts of minor things change in a CMS database just as it updates logins and cache tables and so forth. But the obvious thing you can do is look to see whether there are any unexpected admin users created.

>>my type of site would be low on a hackers list anyway

Keep in mind, they aren't going out and hunting for specific targets in a case like this. They are using databases of known Drupal sites and then just hitting them en masse with automated bots that will give them admin access, then when they have slurped up as many as possible, they'll go back through and decide how to exploit these. If you rank well for certain terms, they could use it for blackhat link building, for example.

But the key thing is that the nature of your site isn't much protection against attack. It is more a matter of the consequences of that attack
8:33 pm on Apr 3, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 10, 2005
posts:5742
votes: 109


my type of site would be low on a hackers list anyway
The other perspective is that the smaller/less well-known you are, the more likely that you don't have a big IT department hardening the defenses, meaning you can be perceived as easy pickings for being hacked.

Hackers aren't just looking for CC numbers or personal information. Lots are looking for severs they can take over to send out spam or inject their spam links or load virus payloads for site visitors or any number of other reasons.
8:48 pm on Apr 3, 2018 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 263
votes: 20


I think these bots treat all sites the same: They look for specific vulnerabilities. Each site is just an entry in a database for them to try. They run the script, and it is either successful or not.
10:22 pm on Apr 3, 2018 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8577
votes: 254


@TorontoBoy - exactly.

I can tell you with Drupalgeddon, the e-commerce site I managed that is small side business, but does run $30k per month through it on a good month, was not hit.

The site that I forgot I even had lurking on a server, was hit and was the gateway to access to that server (which hosted other sites, but fortunately not the e-comm site).

It's just an automated attack. Look at your server logs on a non-Wordpress site. It's full of requests for Wordpress files. Look at your log files on a Linux server. It's full of requests for Windows files.

Think about it from the hacker's perspective - it takes more resources to query the site and find out what platform it's on than to just try the exploit. The only reason they would target Drupal sites based on a pre-defined database is that they know the clock is ticking and they can only make so many requests per second. So I assume they have databases of URLs that tell them what tech a site runs on and sometimes they use that when they think there is a narrow window for the exploit. Otherwise, dumb bots just crawl the web hoping to strike gold
12:10 am on Apr 4, 2018 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 263
votes: 20


FYI I have played with some open source hacking tools (cannot mention them here), which can do reconnaissance/scouting and then hack devices or web sites. It uses an open source database of software vulnerabilities.

Scanning a Drupal site with this tool I found there is scant little vulnerabilities to report. Ditto for a Linux box. Then I tried one of my my Wordpress sitse and there were vulnerabilities galore. If you have a WP site, lock it down good and do those updates in a timely fashion.
5:34 am on Apr 14, 2018 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8577
votes: 254


And it looks like as of April 11, automated attacks are exploiting this vulnerability. If you aren't patched yet, you're probably screwed
[drupal.org...]