14 DAY TRIAL // Developers at Drupal released on Wednesday a new version of the CMS including a patch for a severe vulnerability that does not require authentication to be exploited remotely.
The security risk has been assigned the CVE-2014-3704 identifier and consists in the possibility to conduct an SQL injection attack through specially crafted requests.
Ironically, the vulnerable component is a database abstraction API designed specifically to prevent malformed SQL queries from being executed against the database.
The Drupal security team says in the advisory that an attack exploiting this vulnerability “can lead to privilege escalation, arbitrary PHP execution,” the only difference being made by the content of the requests.
The issue is extremely serious
Drupal is an open-source CMS (content management system) millions of websites across the world rely on. The current glitch, which affects versions 7.x prior to 7.32, basically allows a malicious actor to act as an administrator on the Drupal site and carry out nefarious activities, like serving malware to visitors or directing them to malicious locations.
Although an update to eliminate the problem has been provided, not all administrators apply it, sometimes because technical limitations are involved.
However, getting the secure version of the Drupal CMS should be top priority these days, because hackers have already started to search for websites vulnerable to the flaw.
The matter is more urgent since proof-of-concept code has been spilled online, examples being found on Reddit and Pastebin.
Incidents leveraging CVE-2014-3704 have occurred
With the demonstrative attack code available, most of the effort of malicious actors to breach an organization has been eliminated. All they have to do is adapt the code to their purpose and initiate the attack.
Steven Adair of the security firm Volexity, which specializes in incident response and suppression solutions, says that the Drupal flaw has already been successfully used to compromise some of their customers.
“Volexity has observed attacks against several of its customers in both indiscriminate and targeted capacities. Wide spread scanning has been observed against websites that are not even hosting Drupal,” he writes in a blog post.
In some cases, the security researchers noticed that proof-of-concept code was used without any alteration.
Most of the attackers seem to compromise the websites for financial gains, but Volexity also observed incidents originating from IP addresses associated with APT groups running targeted attacks on its clients.
Volexity is one of the private security companies participating in Operation SMN, which gathered intelligence to determine the methods and tools used by a cyber espionage group believed to be from China, and to create a security framework against it.