Updating software is important, but it's the third-party add-ons that get servers pwned. No component -- theme, plugin, or module -- is too small.
Canonical, the commercial vendor behind Ubuntu Linux, has disclosed a security breach where an unknown adversary accessed the database powering the Ubuntu support forums and obtained usernames, passwords, and IP addresses of two million users. Canonical used vBulletin, a popular web forum software, and while it appears the core installation was regularly updated, some add-ons were not.
The attacker gained access via a SQL injection vulnerability in Forum Runner, a vBulletin add-on. The flaw had already been fixed in a newer version of Forum Runner, but the team had not updated the add-on at the time of the attack.
"Deeper investigation revealed that there was a known SQL injection vulnerability in the Forum Runner add-on in the forums which had not yet been patched. The attacker had the ability to inject certain formatted SQL to the forums database on the forums database servers," Jane Sibler, CEO of Canonical, wrote in the security advisory posted on the Ubuntu website.
Using popular software frees administrators up from supporting custom code. If a software package covers the features the organization is looking for, and a third-party team has put together a module that extends the application with extra functionality, then there's no reason to write a brand-new application from scratch.
That convenience comes with a cost, though. A single vulnerability in the application would affect a larger number of users; the more popular the software, the bigger the victim pool.
Keeping software updated sounds so simple, but as recent attacks show, there are many applications that are running vulnerable software. The Ubuntu forums aren't the only sites affected. Just last month, attackers hit VerticalScope, which operates online communities and forums, and stole credentials for 40 million users by exploiting outdated vBulletin software. It's believed that whoever stole the legal documents as part of the Panama Papers breach exploited vulnerabilities in an unpatched version of Drupal.
Missing an outdated plugin is unfortunate, but there's a good security lesson here. Though the attacker was able to inject formatted SQL into the forums database and read from any table, the security team believes only the user table was accessed. Even though the user table contained passwords, they were stored as MD5 hashes and not plain-text strings.
More important, the passwords had been encrypted with per-user cryptographic salt, making the hashes more difficult for attackers to decode. While it's good practice to change passwords after a breach and never reuse them on other sites, since Canonical relied on Ubuntu Single Sign On for logins and used a random salt, the attackers are less likely to gain access to individual user passwords -- not impossible, but harder.
Canonical also responded promptly, as it was notified on July 14 by a member of the Ubuntu Forums Council that someone was claiming to have a copy of the forums database. The information security team took the site down after confirming the breach, took all the forums servers and "wiped them clean and rebuilt them from the ground up." This way, the team ensured any code the attacker may have left behind was removed.
All updates for vBulletin has been applied, and "we've improved our monitoring of vBulletin to ensure that security patches are applied promptly," Silber wrote.
The attacker was not able to access the code for the Ubuntu operating system, the update mechanism, or any of the code repositories. This is critical, since if someone had tampered with the code in the repositories, that would affect anyone who had recently used the update mechanism. A similar situation arose earlier in the year when Linux Mint discovered someone had tampered with the software ISO on its servers.
Silber said the security team believes the attacker was not able to escalate beyond remote SQL read access to gain remote SQL write access, shell access to the Forums database, shell access to the Forums servers, or to any other Canonical or Ubuntu services. The company has reset all system and database passwords as precaution, and installed ModSecurity, an open source WAF (web application firewall).
Configuring a WAF lets administrators limit the risks of potential SQL injection attacks even if the underlying application has the vulnerability. Even if there's another application with a SQL injection vulnerability, a properly configured WAF can potentially prevent an attacker trying to exploit the flaw, buying administrators some time to catch up on their patching program.
Website administrators should always make sure to keep their content management systems up to date, including all third-party add-ons, themes, and components. Other defensive layers, such as deploying and configuring WAF, ensuring proper password hygiene, and using correct permission and privilege levels help prevent attacks from causing more damage. A defender simply needs to make a single mistake to let an attacker in, but if there are other traps and alarms in place, the attacker won't be able to do much even inside.