Author Topic: vulnerability: over 1 million sites are affected, about 9% of Drupal sites  (Read 763 times)

DogBoy

  • Inner Core
  • Hero Member
  • *
  • Posts: 513
    • View Profile
    • Email
This morning we are publishing a public service announcement about a severe Drupal core remote code execution vulnerability announced yesterday. If you use Drupal or know someone who does, I'd encourage you to read this post and spread the word.

The vulnerability allows an attacker, leveraging multiple attack vectors, to take complete control of a website. The Drupal team estimates that at the time of the announcement over 1 million sites are affected, about 9% of Drupal sites.

Our focus is usually WordPress security, but given the severity and wide impact of this vulnerability, we feel it justifies a PSA to help spread the word.

You can find the full details on the official Wordfence blog...

Regards,


Mark Maunder
Defiant Inc CEO

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4183
    • View Profile
I should have mentioned this here.

This letter you mention is wrong. It affected 100% of Drupal sites - D6, D7, and D8 - and Drupal announced last week that a crucial patch was coming and everyone should set aside time on March 28 to patch sites as soon as the patches were released.

I patched three sites. No issues.

The 9% figure is 9% of all websites running a known CMS. So basically, Mark Maunder needs to read the announcements more carefully

https://groups.drupal.org/security/faq-2018-002
https://www.drupal.org/sa-core-2018-002

I patched three sites yesterday.

On something like this, there were no known exploits in the wild before the patch was released. So any exploit would affect your server after the patch release (roughly after 18:00 UTC on March 28).

If you have your code in version control, you can look and see if there were any files placed on the server in code
For the user files (the sites/files directory in Drupal) you can run a "find" command with an -mtime=1 (one day) or -mmin=600 (600 minutes) and see any files that were modified in that time frame and audit those files.

Once you have done that, you do your git pull and pull down the patched code and you're safe.

You don't know if someone has created a user in your DB, but for most sites, you can delete any user you don't know who was created since the patch was released.

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4183
    • View Profile
To find files modified in the last 10 hours, you would need something like

>find . -mmin -600 -type f -exec ls -l {} +

bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1279
  • Avast!
    • View Profile
    • Email
Is this yet another Drupalgeddon? I was asking around for quotes to move a number of sites to Drupal and this news isn't putting a lot of confidence in that idea. Is Drupal handling this one better than the last big one?

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4183
    • View Profile
I don't think it's another Drupalgeddon.

The thing about Drupalgeddon, is that the exploit was discovered in the wild, then patched if I recall.

This was discovered in a security audit, announced a week ahead of time to give people time to get ready, and then the patch release.

In my case, this meant I could do some prep work (backups, all available updates, etc), so when the patch came out, it was a 5-min process for each site.

That said, for me the color has really worn off on Drupal. Drupal 8 is a beast. I've found it virtually impossible to work with. I feel like at this point, you pretty much need an experienced Drupal shop running your install and doing all your updates or you need an end user who can handle Composer, something like grunt/gulp/bower, git for sure, and probably Drupal Console (a command line tool that has taken over a lot of what drush does), and you still need drush for some things.

In my case, every time from D8 alpha releases through D8.4, I've found just keeping a site running to be hard and the most minor updates to be a nightmare of poorly managed dependencies and Composer hell.

I have pretty much stopped recommending Drupal. I will update a couple of D7 sites to D8 once D8.6 comes out (which will include a Media Library for media reuse, similar to what Wordpress has and has had for... a decade?). But that's just because I'm stubborn.

I would not recommend Drupal to anyone who doesn't have a good maintenance budget and either considerable expertise with the basic dev tools or budget to hire someone who does. Not for small sites anymore.

If they haven't used Composer fairly extensively, they shouldn't even try to run a D8 site.

And of course, once D9 comes out, D7 will be EOL with three months and you'll
« Last Edit: March 29, 2018, 10:58:57 PM by ergophobe »

bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1279
  • Avast!
    • View Profile
    • Email
I have pretty much stopped recommending Drupal.
Oh? I remember back in the day that you were quite fond of the platform. I had a couple sites on much earlier versions of Drupal (5?or 6?) and one catastrophic update left me without sites. I gave up after that and had not bothered to resuscitate them. They were more or less testing sites so no great loss. However I had higher hopes for the 8.x line.

Although the frequency of critical vulnerabilities in Drupal seems to be less than WordPress (which I refuse to use for my main sites) I'm having second thoughts now. It's looking like a bigger security liability the more I look back into it.

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4183
    • View Profile
I remember back in the day that you were quite fond of the platform.

I was. To me, Drupal 7 is the Windows XP version and Drupal 8 is... remains to be seen. It's either the Windows 98 version or the Windows Vista version. It has lost a lot of people. One of the top Drupal contributors forked it into Backdrop because he thought Drupal 8 was headed in the wrong direction. This is a guy with almost 7,000 commits on Drupal.org - https://www.drupal.org/u/quicksketch

If you'll recall, what I always said about Drupal is: "If Drupal works for you out of the box, then you should be using Wordpress." Drupal always brought a lot of complexity with it, but what it gave was some tremendous capabilities.

The killer feature it has is in handling structured data. You can add "fields" and you can slice and dice them in a seemingly infinite number of ways with "views." It's easy to write a views formatter and you can take your data and turn it into a slideshow, a carousel, a sortable table, a sales report, a tax report, etc., with minimal coding.

Back in the Drupal 6 and 7 days, it was my bread and butter for a fairly simple reason: it was easy for people to get in over their heads. So they would build a site or have it built, and then realize they needed to hire someone to bail them out. As Drupal had a much, much smaller developer community than Wordpress, it was much more lucrative (and I think still is).

What I'm finding with Drupal 8, though, is that it requires a large skillset just to keep the thing running (again Composer, grunt/gulp/bower, git, Drupal Console, drush) and is so prone to breaking that even minor version upgrades are utterly nerve-wracking affairs. If you compare a major version upgrade of Wordpress to a minor version upgrade of Drupal 8, I will take the major version upgrade of Wordpress any day. In my experience with Drupal 8, there is a far better than 50% chance that a minor version upgrade will utter bork your site and get you into a circular dependency trap that is hell to get out of.

If you want some gripping, blow-by-blow dependency hell blogging by yours truly...
https://www.drupal.org/forum/support/upgrading-drupal/2017-10-06/update-to-84-with-composer

So speaking of minimum skills, it is essential that you have a dev -> test -> deploy workflow. That was always a best practice for me on D6 and D7, but I would say half of all Wordpress "developers" don't bother (things like dev, staging and production separation, version control, unit testing, continuous integration, etc., have been much, much slower to come to Wordpress or, for that matter, Sitecore than to Drupal). But with D8, only a fool would do even a minor update on a live site.

Quote
Although the frequency of critical vulnerabilities in Drupal seems to be less than WordPress

This is always a tough statistic. I think Drupal takes security much, much more seriously than Wordpress. All Drupal modules that are distributed on Drupal.org are subject to the same vulnerability reporting. So if there's a vulnerability in a module, that's reported in security warnings and emails, even if only a small number of people have the module installed. They also segment normal updates from security updates and you can choose to just install security updates. When there is a security update for any of your modules, Drupal self-reports that and sends you an email the next time cron runs (so at least daily, but usually it checks that hourly).

So there tends to be a lot of reports about vulnerabilities for Drupal, but that's because it takes security so much more seriously than Wordpress (that's just a subjective opinion, not based on any hard data).

With Drupal 8, you get all the benefits of the Symfony community and all the testing they've done too.

I think that explains some of Drupal's growing pains as well. There is so little code overlap between D7 and D8 that it is basically a whole new system. So it's not quite like the switch to Vista, which was built on NT. It's as if after XP, Microsoft had scrapped all their code and built NT and Vista all in one go and released it.

There is discussion in the Drupal community that it has become too hard for people who are not strong with Composer and there's talk of creating a GUI that would interface with Composer and allow a simpler experience.

Nevertheless, I stand by my original. Nobody who does not have either strong skills in Drupal 8 or strong skills in Composer, git, grunt/gulp/bower, and Symfony should be building a Drupal 8 site for anything that matters.

And though I still like Drupal 7 and think it's a great tool, I no longer recommend it. Let's say you start a Drupal 7 project today and Drupal 9 comes out in three years. You are faced with a Drupal 8 upgrade at that point and if the tools still are not in place, that's going to a difficult and expensive project. Major version upgrades in Drupal are frequently 50% to 80% the cost of simply starting from scratch.

They have realized that is a problem and have committed to smoother upgrades from 8 to 9 and beyond, but you still have to hope that by the time you need to get off D7, that the Migrate module will have full coverage for all the modules you have on your D7 site. And generally, since there's no point in using Drupal unless you want significant customization, you will almost certainly have to write your own Migrate submodules... which I found rather hard.

Amazing tool. Increasing headache.

I've also found it to be quite buggy, which is the other thing that killed me. For a while, I felt like every module required a patch. Sometimes there were issues in the issue queue that went back three years, but I had promised that functionality to a client based on the module description. So instead of a 30-minute install, I had a 30-hour debug and patch process.

Quote
WordPress (which I refuse to use for my main sites)

Despite all my disparaging remarks about Wordpress security above, I think that if you avoid a lot of plugins and stick with the best and you set Wordpress to update automatically, you will almost never get hacked. Almost all WP hacks are for unpatched sites.

There are now a lot of good options for keeping your site patched in real time, for keeping archived backups, and for having real-time malware defense. Last week you could have defended five sites for life for $49 with MalCare on AppSumo https://appsumo.com/malcare-recap

ManageWP makes it easy to keep multiple sites up and running and be able to gracefully back out of a failed update.

Simply put, there is no excuse for a Wordpress site being out of date in general (a recent glitch did actually disable automatic updates in a recent release) and a Wordpress site that is not out of date is very rarely hacked.

« Last Edit: March 30, 2018, 04:57:57 AM by ergophobe »

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4183
    • View Profile
Yikes! Almost 1,200 words. I guess it's still something that gets me a bit hot under the collar

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4183
    • View Profile
@bill - take a look at TorontoBoy's last comment in this thread: https://www.webmasterworld.com/website_security_webmasters/4893157.htm

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 4183
    • View Profile
And it looks like as of April 11, automated attacks are exploiting this vulnerability. If you aren't patched yet, you're probably screwed
https://www.drupal.org/psa-2018-002