CLAMP Security Alert: Course Backup Flaw

Recently, announced a security advisory about a potential vulnerability involving course backups. The specifics of this vulnerability were included in an email to Moodle server admins, but in a nutshell, when doing full course backups, Moodle backs up local users and their passwords.

These passwords are MD5 encrypted, but recent changes in the code cracking landscape mean that it’s a lot easier to break these passwords than it used to be. Most CLAMP schools don’t use local authentication in Moodle, instead relying on external authentication like LDAP and not storing passwords in the Moodle database, but this can still be a problem for any locally-created accounts.

In addition to local user passwords potentially being easily crack-able, another danger not mentioned in the original email is that Moodle <=1.9.6 includes the admin account and its MD5-encrypted password when it does its a “full course” backup (one that includes course and user data). In addition, in Moodle 1.9.5 and 1.9.6, anyone with the administrator role will be included in these backups, regardless of whether they were a member of the course in question.

Because of this, CLAMP recommends that schools implement the steps below and then audit your admin and other local accounts to make sure that a) they’re still needed and b) they have new strong passwords.

Moodle 1.9.7 includes new roles capabilities that separate the ability to backup a course from the ability to back up course data. It also prevents administrators from being included in the course backup. We will be folding Moodle 1.9.7 into the Liberal Arts Edition during Moodle Hack/Doc Fest V and will release LAE 1.1 with this and other 1.9.7 enhancements in early January.

Recommended Steps

1) Disable backup functionality for teacher roles. You can re-enable backups later with the new Moodle releases, because the permissions for saving user data will be separate from the permission to create backups.

HOW:  Admin > Users > Permissions > Define roles:  Edit the teacher roles and change the capability for moodle/site:backup to “PROHIBIT”.

Disabling backups is a temporary fix; Moodle core is supposed to be releasing a Moodle 1.9.7 update that fixes these backup issues. When they do so, CLAMP will release its own patch for its Moodle: Liberal Arts Edition.

If you can’t disable backups, then you should still take the following steps:

2) Turn on the Password Policy for your site, which forces people to use stronger passwords.

HOW:  Admin > Security > Site policies > passwordpolicy

Note: this only affects local users, not externally authenticated users.

3) Add a “salt” to the MD5 password encryption that makes it harder to crack.

HOW: Add this line to your Moodle installation’s config.php file:

$CFG->passwordsaltmain = ‘some long random string here with lots of characters’;

4) Change your admin passwords and makes sure that the password is a strong one.

5) Verify that Moodle is not caching your external authentication passwords. If you are using LDAP, the process is:

HOW: Login as an admin, go to Users > Authentication > LDAP Authentication and make sure “Hide passwords” is set to “yes”. If you’re making the change now, you’ll need to update your Moodle database manually to clear the cached passwords by setting the “password” field in the mdl_user database to “not_cached”.

6) Patch Moodle to fix the admin backup problem.

If you wish to restore the backup capability and want to ensure that admins are not incldued in the course backup, apply the LAE 1.0.2 admin backup patch (which prevents the inclusion of non-enrolled admins in the course backup). To apply the patch on a Unix system:

  • Unzip the file and upload the patch to your [moodle directory]/backup/ directory
  • Run patch:
    • patch -p0 < LAE102-admin-backup.patch

Be sure to test this on a development site before doing it on a production box.

Usability Testing Accounts

If you participated in the Moodle usability test project in the spring, we recommend that you delete or create strong passwords for local accounts created as part of that project.

1) Joe Faculty (joefaculty)
2) Joe Student (joestudent)
3) Jill Student (jillstudent)

and potentially

4) Admin User (admin)

This is not a true admin account; it’s just a local account without any rights or roles on your system, created because of the way Moodle’s been doing backups.

If your admin account is called admin, then you don’t need to deal with this; Moodle ignores the course’s “admin” user in favor of your own local admin user.