Drupal vulnerability blamed for problems at Indiana Dept. of Education

Drupal, the CMS platform that competes with WordPress and powers some one million websites the world over, recently warned users that unless they patched a newly disclosed SQL Injection vulnerability within seven hours, it was best to assume they’ve suffered a full compromise.

On Monday, Indiana’s Department of Education glimpsed the dark side of patch management, after administrators discovered that their website had been defaced.

The defacement was a single message, likely part of a larger defacement sweep by a person claiming the represent the Nigeria Cyber Army. Other recent defacements by the same individual embedded music on the compromised pages, but the attack on Indiana’s DOE was just a simple statement.

The root cause of the defacement was their vulnerable Drupal installation, the Indiana DOE said:

“This morning, the Indiana Department of Education’s website was hacked due to an apparent Drupal vulnerability. However, there is no sign that any data hosted on the website was compromised. The Department’s Information Technology staff has taken the website down temporarily while this issue is addressed. It is currently anticipated that the website will be down at least through the rest of the day.”

The defacement was visible on every page of the website, and cached copies of it are available on Google and Zone-H.

The Indiana DOE kept their website down for several hours while the issue was addressed. It has since been restored and patched.

Based on the public evidence, the likely entry point for the attacker was a form on the Staff Directory page. After the website was recovered, the record that was used the hijack the site was removed without explanation.

The SQL Injection flaw in Drupal exists within an API that is – ironically – used to prevent SQL Injections.

Drupal said that the API is used as a way to handle prepared statements in Drupal core 7. Due to the vulnerability, all versions of the Drupal 7.x branch before version 7.32 are likely to have been targeted remotely by automated means.

If exploited, a remote, unauthenticated attacker can inject SQL queries, elevate privilege, or otherwise completely control the Drupal installation. Code execution is also possible.

“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement… You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, [which is] 7 hours after the announcement,” an advisory from Drupal explained.

Indiana’s DOE said that data hosted on the website wasn’t compromised – or rather that there was no sign that said data was compromised. However, the nature of the Drupal vulnerability and the power it yields to an attacker means it’s possible to compromise data and leave no trace.

Exploitation would allow full control, and the ability to install backdoors for later infiltration. It isn’t clear how the Indiana DOE resolved the matter, but the best bet would have been to wipe the server clean, restore a backup from October 15 or earlier, and patch the CMS installation from there.

As of Monday, there were 959,000 websites reported as using Drupal 7.x. While it is possible that some websites applied the patch, there are only 286,000 on 7.32. In context, this means that there is a massive amount of vulnerable installations on the Web, each of them waiting to be compromised, if they’re not already.