Some vulnerabilities in open source components just never seem to go away, even long after a fix has been issued.
Dubbed “Drupalgeddon 2.0”, the vulnerability in the popular content management system (CMS) Drupal continues to leave many of its users exposed, despite having been reported back in March.
A report in June noted that upwards of 115,000 were believed to still be vulnerable to the risky component with organizations having failed to implement the fix. Many organization ranging from large corporations to universities use Drupal to manage the content on their websites.
As a remote execution attack, the CVE-2018-7600 vulnerability allows attackers to make unauthorized changes to the target’s web content. While some of the websites who have had their Drupal components hacked have been turned into unwitting cryptocurrency miners using tools like Coinhive, there is a much larger concern that attackers could compromise the integrity of their content.
In some cases they could choose to post offensive content to damage their victims or even delete their posts. However what is far more concerning is the potential to make changes to existing content, violating the integrity of the content on the target’s website. Should such an attack occur, it could harm the victim’s reputation or worse.
The fact that the Heartbleed vulnerability, which was found in the popular OpenSSL cryptographic library back in April of 2014, is still present in so many applications is not a promising sign that the industry is likely to be any better at patching the Drupal vulnerability anytime soon.
Even following the massive breach of Equifax last year that led to the theft of over 145.9 million personally identifiable information records, it appears that many organizations have failed to patch. A report from last month showed that hackers are still attempting to exploit that vulnerability with malicious script, looking for a payday on an exploit that should have been on the top of everyone’s list to remediate.
Given the risk, why have so many organizations been negligent to perform the necessary fix?
At the core of this failure to implement the patch for Drupal is a general mismanagement of open source component usage by far too many in the software industry. Open source components are the libraries and frameworks which are written and maintained by the open source community. Helping developers to work faster, they now comprise between 60-80% of the code in modern applications.
However with great power comes responsibility, and organizations that are using open source components have an obligation to protect them. The good news is that the open source community is actually pretty great at uncovering vulnerabilities and providing fixes. As consumers of open source code, we need to trust and work with the community, but more importantly for this system to work, we need to actually implement the patches when they become available.
The problem for many organizations is that they are not properly tracking which open source components they are using in their products, and therefore do not make the fixes when their code is under threat.
Thankfully there are technologies available like Software Composition Analysis solutions which can help manage and secure open source components, providing organizations with visibility over what they are using, alerts when new vulnerabilities are discovered, and even helpful suggestions on how to make the fix.
At the end of the day though, it is still up to every organization to make sure that they are keeping their software updated and implementing patches when vulnerabilities like Drupalgeddon 2.0 threaten their products.