DNN Community Blog

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact community@dnnsoftware.com.

 


Oracle Padding Vulnerability in ASP.NET

Earlier this week, news surfaced about a possible security vulnerability in the default encryption mechanism used to protect the cookies normally used to implement Forms Authentication in Microsoft ASP.NET. 

A couple of security ‘researchers’, Thai Duong and Juliano Rizzo, publicly claimed that their attack could ‘compromise’ millions of applications that are built on the ASP.NET platform.  One of them even did a Twitter post asking for which ASP.NET application should be used as a demonstration, and given our reputation as the most widely deployed web application for ASP.NET, DotNetNuke was chosen as the "lucky" target.

Utilizing the extremely limited information which was provided, the DotNetNuke Security Team led by Cathal Connolly and Brandon Haynes immediately set to work trying to pinpoint the attack vector and determine the magnitude and severity of the vulnerability. Unfortunately, the lack of technical details and tools made it impossible to reproduce the issue. Initially we even suspected that DotNetNuke may be immune because of our default configuration settings; however this later proved to be incorrect ( Cathal managed to get in touch with the ‘researchers’ directly and they confirmed DotNetNuke was vulnerable but were unwilling to share details ). Regardless by mid-day Friday, Brandon and Cathal had come up with a few potential solutions which they felt would theoretically mitigate the ASP.NET forms authentication vulnerability. But rather than rush out a solution to a problem which was not yet fully defined, we decided it would be wise to wait for more details to emerge. On Friday afternoon we were contacted by a program manager from Microsoft Vulnerability Research (MSVR) who provided us with a few more details and assured us that Microsoft was taking the issue very seriously and would keep us in the loop.

Late Friday afternoon, in a security conference in Buenos Aires, Argentina, the security ‘researchers’ demonstrated how to exploit the vulnerability, using DotNetNuke as the target application. They created a YouTube video of the steps involved, and even threw 3 pen drives containing the tools to accomplish this exploit into the crowd.

We take the privacy of our users very seriously, and based on the potential threat that this vulnerability demonstrated to our community, we decided to take immediate and extreme action. We took our main websites offline, including www.dotnetnuke.com. Such drastic action obviously has an effect on our business, but we thought it was the safest approach as we needed some time to fully assess the severity of the situation. We did not expect that the sites would need to be down for an extended period, as we had faith that Microsoft would move quickly to issue a workaround.

The actual exploit utilized a few techniques which nobody had previously anticipated. But once the details were out in the open, it was then possible to come up with an effective mitigation strategy. Microsoft moved quickly to make information available to the community - in fact many of the principals in the Web Platform & Tools team, including Scott Guthrie himself, were up almost all night providing feedback and working in real-time to provide utilities to expedite the patching of affected systems ( I know this because I am on the ASPInsiders mailing list and there was plenty of activity from 1AM - 5AM PST this morning ).

The official advisory can be viewed at:

http://www.microsoft.com/technet/security/advisory/2416728.mspx

And a more understandable version written by Scott Guthrie can be viewed at:

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Cathal has posted a detailed blog on how to apply a workaround to ensure your DotNetNuke web sites are protected immediately.

http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2798/ASP-NET-Security-Vulnerability-workaround-for-DotNetNuke-sites.aspx

We have already followed these workaround steps for our own web properties and brought them back on-line early Saturday morning. We encourage other folks to do the same ( Microsoft will likely push out a server level patch at some point in the future through Windows Update but the exact timing is still not known ).

We will also be expediting the release of a 5.5.1 version this week which will include the patch as well as a seamless upgrade mechanism to ensure your web assets are protected. We will also create a utility which would enable people to apply the patch on legacy versions without requiring an upgrade to the latest DotNetNuke product - however this should utilized with caution as the only way to be assured of the integrity of your site is to keep up with all security patches.If you do not feel comfortable making technical changes such as this to your sites, there is also the ability to opt for a commercial edition of DotNetNuke , where our expert support technicians can provide direct assistance.

We appreciate your patience and will keep you informed as further information becomes available.

Comments

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (3)
Alec Whittington (11)
Alex Shirley (10)
Andrew Nurse (30)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (13)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (3)
Bill Walker (36)
Bob Kruger (5)
Brice Snow (1)
Bruce Chapman (9)
Bryan Andrews (1)
cathal connolly (52)
Charles Nurse (157)
Chris Hammond (197)
Chris Paterra (55)
Clinton Patterson (25)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (17)
Dave Buckner (2)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (66)
Geoff Barlow (2)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (1)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (234)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (3)
Jordan Coopersmith (1)
Keivan Beigi (3)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Matthias Schlomann (15)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (1)
Michael Washington (202)
Mike Horton (19)
Mitchel Sellers (28)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Patrick Santry (3)
Peter Donker (50)
Philip Beadle (135)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott S (11)
Scott Willhite (97)
Sebastian Leupold (76)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Timo Breumelhof (24)
Torsten Weggen (1)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (36)
Will Strohl (140)
William Severance (5)

Copyright 2014 by DNN Corp | Terms of Use | Privacy | Design by Parker Moore Design