The Panama Papers leak, which occurred earlier this year, had the online community speculating if poor security and Drupal bugs were to blame. Unrelated critical Drupal security patches were released in July, causing some news outlets to draw parallels between today’s security issues and Drupalgeddon, the highly critical security update released in 2014, which may have been the cause of the Panama Papers hack.
When the leak occurred, the law firm affected by the hack, Mossack Fonseca, hadn’t updated their Drupal installation since 2013. This opened up their site to be affected by the zero-day Drupalgeddon vulnerability when it occurred in October 2014.
The Panama Papers hack serves as a reminder of what can happen when you don’t maintain your website and implement the security updates needed. It’s rare that Drupal issues such critical security updates, but it’s important to monitor and maintain your site to make sure it continues to run smoothly and is protected.
Breaking Down the Recent Drupal Security Updates
There were two sets of highly critical security updates released in July. The first set, affecting three community-contributed modules, involved the release of a public service announcement the day prior to the release, to warn of the impending release on July 13th. This drew comparisons with Drupalgeddon. However, this security update was not related to Drupal core so not all Drupal sites were affected. Drupal recommends reviewing the published advisories to see if any modules used on your website were affected.
The second set of security updates released in July were for a Drupal 8 third-party PHP library called Guzzle. Guzzle is used for making HTTP requests on the server. The code had a vulnerability which would allow attackers to proxy outgoing requests and point them wherever they wanted, allowing sites to potentially be exposed to malware. According to Httpoxy.org, attackers would be able to:
- Direct the server to open outgoing connections to an address and port of their choosing
- Tie up server resources by forcing the vulnerable software to use a malicious proxy
Guzzle is a library included in Drupal 8 core, so this vulnerability affected all Drupal 8 installations. Guzzle needed to update their library to address the security issues. They coordinated with the Drupal Security Team to ensure that as soon as their code was updated, Drupal 8 core would be updated as well. Drupal issued a core release so site administrators were able to update to the secure version of Guzzle as quickly as possible.
In order to update our clients’ sites as soon as possible, Duo was closely monitoring both security updates. We knew they were both highly critical and needed to be addressed right away. Anytime there are highly critical issues it is necessary to evaluate all client sites for any risks and make necessary updates.
How Drupal Monitors Security Issues
As previously mentioned, it’s rare for a critical security vulnerability, like the Guzzle library or Drupalgeddon, to come up, but when they do arise, it’s important to be prepared. In fact, since the last highly critical security update, the SQL injection which caused Drupalgeddon, there have only been two other highly critical update Drupal core security updates, the two updates released in July.
Drupal employs a dedicated Security Team to validate and respond to security issues. Drupal has one of the largest professional service provider ecosystems, as well as developer community, which ensures a rapid response time to any issues that come up. The Drupal Security Team investigates security issues and coordinates with core and contributed module maintainers to prepare and release fixes.
Organizations that use Drupal, like government entities, large corporations, and law firms, expect high security standards and help to test and improve its security. While Drupal prides itself on being open to the community, it has strong coding standards and community review; it’s not as easy as logging on to drupal.org and uploading a new contributed module.
Security patches are thoroughly reviewed through issue queues. In addition to the standard reviews for custom code, the Drupal Security Team audits the core and contributed modules for any issues that could potentially sneak through. While the Security Team may withhold information while they’re preparing security updates, they do so that as few people as possible are exposed to any given vulnerability.
How Drupal Security Compares to Proprietary Software Security
If you are vigilant about security, you are highly unlikely to face security issues with Drupal. Proprietary software, just like open source, also has to provide updates to fix security issues. Adobe Experience Manager, for example, has had to issue a number of security advisories. A huge benefit to open source security is that there is more transparency and a greater number of eyes reviewing it. Drupal has one of the largest open-source communities in the world, which helps to monitor, review, and respond to security threats.
Security flaws can often be found more quickly in open source software because the code base is open to the public. The more people who are reviewing and testing the code base, the more likely flaws will be caught and fixed quickly. Proprietary software code is closed from public view, which often means that no one outside of that organization can provide any insight into the bugs (both security-related and otherwise) that it contains. Because proprietary software relies on a limited amount of internal developers and quality assurance, it’s likely that it will take longer to find bugs and patch vulnerabilities.
Drupal’s Stringent Security Standards
Drupal compares favorably against other open-source platforms, like WordPress. There have been nine Drupal security updates released between October 2014 (Drupalgeddon) and today. In comparison, there were 11 WordPress security updates released during the same time.
Drupal abides by a variety of stringent security standards to help ensure the health of the platform.
Drupal account passwords are encrypted and can support a wide variety of password rules. Industry standard authentication practices and many single sign-on systems are also supported.
Drupal can be configured for extremely strong database encryption, passing the strictest PCI, HIPAA, and state privacy laws.
Preventing Malicious Data Entry
Drupal’s Form API makes sure data is validated and scrubbed before it enters the database. The database abstraction layer performs additional security checks on data to protect against potential attacks.
Brute Force Password Detection
Drupal protects against password attacks by limiting the number of login attempts from a single IP address over a certain period of time.
Stopping Denial of Service Attacks
OWASP Top 10 Risks
Drupal includes features that address all of the Open Web Application Security Project’s top ten security risks.
Protecting Your Users From the Chaos of Getting Hacked
At Duo, we’re constantly monitoring to see if there are any security updates available for Drupal. We need to be the first to know, so we can make updates for our clients as quickly as possible. This saves our clients from unnecessary downtime and potential user and data privacy issues.