Security Hot Seat: Unpatched Drupal 7 Sites Compromised

The Open Source CMS Leader in the Hot Seat after Announcement of Widespread Compromise

This past week, Drupal issued a public service announcement which stated that all Drupal 7 sites that were not patched within 7 hours of an October 15 vulnerability disclosure should assume that they have been compromised. According to Sophos, an estimated 12 million sites have been affected.

Drupal's PSA was a follow-up to their previous security announcement stating that a SQL injection vulnerability had been discovered in the Drupal 7 database abstraction API. Drupal rated the flaw as highly critical, meaning that it could be remotely exploited to compromise systems. If exploited, the vulnerability could enable privilege escalation, arbitrary PHP execution, and other attacks. The announcement included a patch to fix the flaw, Drupal 7.32.

Researchers started finding exploits in the wild within hours of the disclosure. Seven hours after Drupal issued the PSA, automated exploits began compromising sites all over the world. Based on the scale of attacks and the number of Drupal 7 sites worldwide, the number of sites affected is likely in the tens of millions.

The announcement shocked the industry; while vulnerability disclosures and patch releases are commonplace for software manufacturers, it is far less common for those announcements to suggest that millions of current deployments have been compromised. According to, many high traffic websites use Drupal, including the White House, The Economist, NBC, and more.

The Drupal security team has advised all Drupal sites to update to 7.32 immediately, but warns that patching alone may not be enough. Sites that failed to patch within 7 hours of the disclosure could still be compromised, even if they have patched since. Drupal is recommending that all sites restore to pre-October 15 versions, then patch and continue to investigate for signs of attack or compromise. Their security team warns that some sites may require server replacements or complete rebuilds. To their credit, the team has been quick to respond to the incident, providing users with full disclosure and recommendations for damage control and recovery. The company also maintains a "Your Drupal site got hacked. Now what?" incident response guide and has created an FAQ to help users safely patch and secure their sites.

Of course, this is not the first instance of a highly critical vulnerability discovery in widely used open source software. Both the Heartbleed and Shellshock vulnerabilities discovered earlier in the year had widespread reach due to the popularity of OpenSSL and Bash. Last year saw open source CMS WordPress' switch to an automatic update model to keep up with vulnerabilities and their required fixes.

These incidents highlight many of the well known issues that plague security teams. Drupal's is another case where the time to compromise for an attack is hours or less, meaning that vulnerability and patch management as well as incident response must be even more agile to stay secure. According to the 2013 Verizon Data Breach Investigations Report, over 80% of compromises are carried out in days or less. Less than 20% of those incidents are detected within the same timespan. As attacks get faster and discovery lags behind, automated exploits could continue to cause widespread compromise.

Nate Lord

Please post your comments here

Customer Spotlight: Deploying a Data Protection Program in Less Than 120 Days

Michael Ring, IT Security Architect at Jabil Circuit shares how they deployed Digital Guardian to over 40,000 users in less than 120 days. Watch the webinar on demand now.

Watch Now

Related Articles
The Security Hot Seat: Ernst & Young

As usual, there was no shortage of security news last week - the unraveling of the Home Depot breach, the discovery that banking malware Dyre has set its sights on Salesforce, and the release of 5 million Gmail logins by Russian hackers were just a few of the big stories. However, I decided to go with a slightly more bizarre selection for this week's Hot Seat.

The Security Hot Seat: PCI Security Standard

As the number of card breaches hits new records, the industry standard created to prevent these breaches finds itself in the Hot Seat

Security Hot Seat: Chip and PIN

The Latest Payment Card Security Technology in this Week's Hot Seat