One of the key principles of good cybersecurity is proactivity. Since no system can be guaranteed to be entirely free of vulnerabilities and flaws (particularly when you bring human error and misconfiguration into the mix), and since malicious cybercriminals are continually developing new tools and techniques, it is vital, IT managers and administrators stay on top of the latest developments and install patches and upgrades wherever necessary. It’s impossible to guarantee that the content management system (CMS) underpinning your website, for example, will always be free from vulnerabilities and safe from cybercrime, but it is possible to ensure that your process for fixing vulnerabilities as they occur is slick and seamless.
We can see this is in action by looking at the critical vulnerability SA-CORE-2018-002, identified last month by the Drupal security team and quickly nicknamed Drupalgeddon 2. It’s a remote code execution vulnerability within multiple versions of Drupal Core which, in Drupal’s words, ‘potentially allows hackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised’. The vulnerability was quickly categorised by Drupal as ‘highly critical’ because of the ease with which attackers can leverage the vulnerability (they simply need to visit the relevant website), and the range and volume of data which can be compromised.
Without getting into too much technical detail, the vulnerability was found on Form API requests, from all Drupal versions from 6 to Drupal 8.
What did Drupal - and the Drupal Community do about it?
Sounds like a grim picture, however, the key point to bear in mind is that platform and system vulnerabilities in themselves will always happen. Obviously, well-designed and maintained software should contain fewer vulnerabilities, but the fact that these latest versions of Drupal have been shown to be (partially) flawed doesn’t mean that no site should ever be built using Drupal ever again.
Rather, it’s the response that matters. And in this way, the fact that Drupal is an Open Source platform, with a huge worldwide community of developers and enthusiasts, works, as ever in its favour.
The Drupal security team, in partnership with the researchers who found the vulnerability, very rapidly analysed the issue, published appropriate patches and created a series of information pages instructing site owners on exactly what to do next. Indeed, the patches and releases occurred before any publicly known exploit, which puts developers and site owners at a huge advantage over cybercriminals. As this Twitter thread makes clear, there is actually a long list of factors illustrating just how well the whole process was handled.
Furthermore, with the European General Data Protection (GDPR) due to come on Friday, it’s worth reflecting on the fact that the new directive forces organisations to communicate data breaches to their customers and other stakeholders as a matter of course, as well as providing frameworks for cyber incidents to be managed within. It’s heartening, then, to see the Drupal community managing this so well.
Our response at Ixis
Since we monitor and support over 200 live Drupal sites, we turned to our Support Lead, Matt Proffitt, to ask what he advises next. He said:
“The first step is to update to the newest possible version of Drupal. If you are running 7.x, upgrade to 7.58, and if you are running 8.5x, upgrade to 8.5.1. These versions have patches inbuilt. If you are running 8.3.x or 8.4.x, there are patches available, but if you are running 8.2.x or earlier, you’ll need to update to a newer version before patching. Since sites that have already been compromised may now contain backdoors, once you’ve updated you still need to go back and investigate to establish whether you’ve been compromised, and then decide on a course of action from there.
It's a timely reminder, then, of the importance of running the very latest version of all relevant software on your website, and applying patches and upgrades as soon as they become available. Keeping ahead of the cybersecurity curve relies on proactivity from within your organisation.