Drupal sites remain outdated, exposed to this severe bug

May 31, 2016 22:20 GMT  ·  By

Nineteen months after being discovered and patched, CVE-2014-3704, a critical Drupal security vulnerability, is still popular and used on a daily basis to compromise Drupal sites.

CVE-2014-3704 affects all Drupal 7.x installations prior to version 7.32 and is an SQL injection in the MySQL database that escalates the attacker's privileges so they can execute code on the server.

Sucuri, a company that provides Web-based security products, says it still detects this vulnerability in the compromised sites it cleans every day.

In spite of the fact that the Drupal project reached version 8 this winter, most webmasters have failed to update and are vulnerable to this bug, which security researchers nicknamed Drupalgeddon due to its severity. When the Drupal core team announced it, they said in a statement that webmasters "should proceed under the assumption that every Drupal 7 website was compromised."

Unfortunately, Sucuri's report proves once again the large number of targets outdated Drupal sites provide, and the lack of any responsibility or attention to security updates from the webmasters of those servers.

CVE-2014-3704 used in the Panama Papers breach, recent ransomware campaigns

The Drupalgeddon bug has recently been used in a ransomware campaign targeting Drupal websites, but is also at the core of the recent Panama Papers breach, allowing a hacker to steal files from the Mossack Fonseca document server, running on an unpatched Drupal installation.

Sucuri says that in the most recent wave of attacks it detected, hackers used automated scripts to scan for vulnerable Drupal sites and then deployed the SQL injection bug to create an admin account on the vulnerable Drupal servers.

These admin accounts usually have the name of Derevos, Holako and Mr.R00t2_404, and attackers use them to access the site, manually or via another automated script.

Sucuri says that attackers usually leave behind SEO spam in order to poison search engine rankings and search results, giving fake reputation boosts.

Old and unpatched vulnerabilities also affect WordPress, where Sucuri also revealed that attackers also prefer using a four-year-old vulnerability in the TimThumb plugin to compromise WP sites.

Attacks using CVE-2014-3704 exploits
Attacks using CVE-2014-3704 exploits

Photo Gallery (2 Images)

Many Drupal sites remain vulnerable to the Drupalgeddon bug
Attacks using CVE-2014-3704 exploits
Open gallery