Updating software is important, but it's the third-party add-ons that get servers pwned. No component -- theme, plugin, or module -- is too small.
Canonical, the commercial vendor behind Ubuntu Linux, has disclosed a security breach where an unknown adversary accessed the database powering the Ubuntu support forums and obtained usernames, passwords, and IP addresses of two million users. Canonical used vBulletin, a popular web forum software, and while it appears the core installation was regularly updated, some add-ons were not.
The attacker gained access via a SQL injection vulnerability in Forum Runner, a vBulletin add-on. The flaw had already been fixed in a newer version of Forum Runner, but the team had not updated the add-on at the time of the attack.
"Deeper investigation revealed that there was a known SQL injection vulnerability in the Forum Runner add-on in the forums which had not yet been patched. The attacker had the ability to inject certain formatted SQL to the forums database on the forums database servers," Jane Sibler, CEO of Canonical, wrote in the security advisory posted on the Ubuntu website.
Using popular software frees administrators up from supporting custom code. If a software package covers the features the organization is looking for, and a third-party team has put together a module that extends the application with extra functionality, then there's no reason to write a brand-new application from scratch.
That convenience comes with a cost, though. A single vulnerability in the application would affect a larger number of users; the more popular the software, the bigger the victim pool.
Keeping software updated sounds so simple, but as recent attacks show, there are many applications that are running vulnerable software. The Ubuntu forums aren't the only sites affected. Just last month, attackers hit VerticalScope, which operates online communities and forums, and stole credentials for 40 million users by exploiting outdated vBulletin software. It's believed that whoever stole the legal documents as part of the Panama Papers breach exploited vulnerabilities in an unpatched version of Drupal.
Missing an outdated plugin is unfortunate, but there's a good security lesson here. Though the attacker was able to inject formatted SQL into the forums database and read from any table, the security team believes only the user table was accessed. Even though the user table contained passwords, they were stored as MD5 hashes and not plain-text strings.
More important, the passwords had been encrypted with per-user cryptographic salt, making the hashes more difficult for attackers to decode.
While it's good practice to change passwords after a breach and never reuse them on other sites, since Canonical relied on Ubuntu Single Sign On for logins and used a random salt, the attackers are less likely to gain access to individual user passwords -- not impossible, but harder.
Sign up for Computerworld eNewsletters.