Canonical also responded promptly, as it was notified on July 14 by a member of the Ubuntu Forums Council that someone was claiming to have a copy of the forums database. The information security team took the site down after confirming the breach, took all the forums servers and "wiped them clean and rebuilt them from the ground up." This way, the team ensured any code the attacker may have left behind was removed.
All updates for vBulletin has been applied, and "we've improved our monitoring of vBulletin to ensure that security patches are applied promptly," Silber wrote.
The attacker was not able to access the code for the Ubuntu operating system, the update mechanism, or any of the code repositories.
This is critical, since if someone had tampered with the code in the repositories, that would affect anyone who had recently used the update mechanism. A similar situation arose earlier in the year when Linux Mint discovered someone had tampered with the software ISO on its servers.
Silber said the security team believes the attacker was not able to escalate beyond remote SQL read access to gain remote SQL write access, shell access to the Forums database, shell access to the Forums servers, or to any other Canonical or Ubuntu services. The company has reset all system and database passwords as precaution, and installed ModSecurity, an open source WAF (web application firewall).
Configuring a WAF lets administrators limit the risks of potential SQL injection attacks even if the underlying application has the vulnerability. Even if there's another application with a SQL injection vulnerability, a properly configured WAF can potentially prevent an attacker trying to exploit the flaw, buying administrators some time to catch up on their patching program.
Website administrators should always make sure to keep their content management systems up to date, including all third-party add-ons, themes, and components.
Other defensive layers, such as deploying and configuring WAF, ensuring proper password hygiene, and using correct permission and privilege levels help prevent attacks from causing more damage. A defender simply needs to make a single mistake to let an attacker in, but if there are other traps and alarms in place, the attacker won't be able to do much even inside.
Sign up for Computerworld eNewsletters.