Drupalgeddon: how Calibrate handled Drupal security updates

At Calibrate, the security of our websites is central. In addition to building websites, we also ensure - through regular maintenance - that every site remains in tip-top shape. Regular maintenance also includes timely intervention when a security release comes out.

Security releases are issued by the Drupal Security team, a group of volunteers who monitor the security of Drupal. Drupal is an open source content management system used on millions of websites worldwide. Over the last few weeks this team has discovered 2 major security vulnerabilities in all recent versions of this popular CMS. In order to give companies and institutions enough time to update their websites, both security releases were announced in advance by a so-called Security Public Service Announcement (PSA).

Announcing a security release in advance is exceptional: security releases normally take place during so-called "release windows", a pre-defined period of time (for Drupal, this is usually the third Wednesday of each month). This allows users of Drupal to free up time and intervene in a timely manner when a release occurs.

For the 2 leaks found, there were two deviations from these standard release windows. Deviations from these fixed times only occur for critical bugs, or in the case of "exploits in the wild". The latter means that there are already documented cases of malicious abuse, so it is crucial to secure all sites as soon as possible. In both cases, the security team also clearly indicated that the bugs were critical.

The information on the imminent release was limited to what was mentioned in both announcements. However, it contained a number of important points on which we were able to work.

• The release would be provided as one or more patches. A patch is a file that can be used to easily modify existing code.
• No "database updates" were required after the release. Database updates change the structure or existing data. However, performing database updates takes more time, and involves additional risks and work.

In order to be able to update all our websites as soon as possible after the release, we put our heads together in the week before the first security release to draw up an action plan. For all sites that are hosted "internally", Calibrate developed a tool to automatically update all code at the push of a button. For sites of customers that are not hosted with us, a roadmap was drawn up in order to be able to carry out the update manually, quickly and in a coordinated manner.

On Wednesday 28 March and Wednesday 25 April, our developers and system administrators were on standby from 6 p.m. at our 3 locations (Ghent, Antwerp and Leuven) to update all websites managed by us immediately after the releases were released.

It was only in the aftermath of both releases that the importance of these efforts became clear. The sealed leaks concerned a "Remote Code Execution" problem, in which an attacker can have a piece of code executed on the server on which that website is located via a simple request to the website. In this way, the attacker can gain access to that website and the server.

Currently, botnets are already widely used to attack existing (not up to date) Drupal sites, and to exploit security vulnerabilities (renamed Drupalgeddon2). For example, Dries Buytaert, original developer of Drupal and current CTO of Acquia, reported more than 20,000 attacks per hour on Drupal websites hosted on the Acquia platform.

Thanks to rapid intervention by our team, you don't have to worry about this. 

Calibrate keeps its finger firmly on the pulse when it comes to the security of your website!

Read more:

• Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003
• Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004
• FAQ about SA-CORE-2018-002
• Drupal users take cover—code-execution bug is being actively exploited [updated]