Advisory October 17, 2014

Critical vulnerability on Drupal 7

Today a vulnerability was disclosed under CVE-2014-3704 / SA-CORE-2014-005 on the Drupal <7.32 that allows an unauthenticated attacker to execute arbitrary SQL.

The Proof of Concept was disclosed and involved the SQL update of the user with UID=1 (admin).

Where is this based?

It exists (ed) in the Drupal core. Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution.
This is another example of bypassing security, exploiting the security measures themselves.

What is affected?

All the Drupal installation prior to 7.32, thus at the time of this writing, your installation may be vulnerable to attack too.

What is to be done?

Immediately request the Drupal admin to update to 7.32  If it is not possible immediately apply the patch there:

How Obrela Security Industries protects their Clients from the threat?

The exploitation vector is SQL injection, thus all our Web Application Firewall protected our clients at any time. Our SIEM engine were enhanced at zero time with Correlation Rules specific to the situation. Due to the fact that the explotation vector lies in POST data and most Web Server logs do not contain them, excessive abnormality behavior metrics were forced in the engine to measure based on /?q=node&destination=node /?q=user /user and multiple other entry points.

DBMS correlation was also tightened with respect to their verbosity, as the batched queries executed are very easy to spot if e.g. UPDATA, EXEC logging is performed.