DNN Community Blog

Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact community@dnnsoftware.com.

 


Oracle Padding Vulnerability in ASP.NET

Earlier this week, news surfaced about a possible security vulnerability in the default encryption mechanism used to protect the cookies normally used to implement Forms Authentication in Microsoft ASP.NET. 

A couple of security ‘researchers’, Thai Duong and Juliano Rizzo, publicly claimed that their attack could ‘compromise’ millions of applications that are built on the ASP.NET platform.  One of them even did a Twitter post asking for which ASP.NET application should be used as a demonstration, and given our reputation as the most widely deployed web application for ASP.NET, DotNetNuke was chosen as the "lucky" target.

Utilizing the extremely limited information which was provided, the DotNetNuke Security Team led by Cathal Connolly and Brandon Haynes immediately set to work trying to pinpoint the attack vector and determine the magnitude and severity of the vulnerability. Unfortunately, the lack of technical details and tools made it impossible to reproduce the issue. Initially we even suspected that DotNetNuke may be immune because of our default configuration settings; however this later proved to be incorrect ( Cathal managed to get in touch with the ‘researchers’ directly and they confirmed DotNetNuke was vulnerable but were unwilling to share details ). Regardless by mid-day Friday, Brandon and Cathal had come up with a few potential solutions which they felt would theoretically mitigate the ASP.NET forms authentication vulnerability. But rather than rush out a solution to a problem which was not yet fully defined, we decided it would be wise to wait for more details to emerge. On Friday afternoon we were contacted by a program manager from Microsoft Vulnerability Research (MSVR) who provided us with a few more details and assured us that Microsoft was taking the issue very seriously and would keep us in the loop.

Late Friday afternoon, in a security conference in Buenos Aires, Argentina, the security ‘researchers’ demonstrated how to exploit the vulnerability, using DotNetNuke as the target application. They created a YouTube video of the steps involved, and even threw 3 pen drives containing the tools to accomplish this exploit into the crowd.

We take the privacy of our users very seriously, and based on the potential threat that this vulnerability demonstrated to our community, we decided to take immediate and extreme action. We took our main websites offline, including www.dotnetnuke.com. Such drastic action obviously has an effect on our business, but we thought it was the safest approach as we needed some time to fully assess the severity of the situation. We did not expect that the sites would need to be down for an extended period, as we had faith that Microsoft would move quickly to issue a workaround.

The actual exploit utilized a few techniques which nobody had previously anticipated. But once the details were out in the open, it was then possible to come up with an effective mitigation strategy. Microsoft moved quickly to make information available to the community - in fact many of the principals in the Web Platform & Tools team, including Scott Guthrie himself, were up almost all night providing feedback and working in real-time to provide utilities to expedite the patching of affected systems ( I know this because I am on the ASPInsiders mailing list and there was plenty of activity from 1AM - 5AM PST this morning ).

The official advisory can be viewed at:

http://www.microsoft.com/technet/security/advisory/2416728.mspx

And a more understandable version written by Scott Guthrie can be viewed at:

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Cathal has posted a detailed blog on how to apply a workaround to ensure your DotNetNuke web sites are protected immediately.

http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2798/ASP-NET-Security-Vulnerability-workaround-for-DotNetNuke-sites.aspx

We have already followed these workaround steps for our own web properties and brought them back on-line early Saturday morning. We encourage other folks to do the same ( Microsoft will likely push out a server level patch at some point in the future through Windows Update but the exact timing is still not known ).

We will also be expediting the release of a 5.5.1 version this week which will include the patch as well as a seamless upgrade mechanism to ensure your web assets are protected. We will also create a utility which would enable people to apply the patch on legacy versions without requiring an upgrade to the latest DotNetNuke product - however this should utilized with caution as the only way to be assured of the integrity of your site is to keep up with all security patches.If you do not feel comfortable making technical changes such as this to your sites, there is also the ability to opt for a commercial edition of DotNetNuke , where our expert support technicians can provide direct assistance.

We appreciate your patience and will keep you informed as further information becomes available.

Comments

Comment Form

Only registered users may post comments.

NewsArchives


August 2014 (23)
July 2014 (17)
June 2014 (10)
May 2014 (6)
April 2014 (9)
March 2014 (3)
February 2014 (4)
January 2014 (8)
December 2013 (5)
November 2013 (2)
October 2013 (9)
September 2013 (10)
August 2013 (8)
July 2013 (4)
June 2013 (8)
May 2013 (13)
April 2013 (2)
March 2013 (7)
February 2013 (7)
January 2013 (10)
December 2012 (6)
November 2012 (20)
October 2012 (12)
September 2012 (27)
August 2012 (29)
July 2012 (22)
June 2012 (17)
May 2012 (23)
April 2012 (24)
March 2012 (27)
February 2012 (21)
January 2012 (12)
December 2011 (18)
November 2011 (20)
October 2011 (27)
September 2011 (17)
August 2011 (18)
July 2011 (45)
June 2011 (22)
May 2011 (23)
April 2011 (19)
March 2011 (36)
February 2011 (19)
January 2011 (22)
December 2010 (29)
November 2010 (37)
October 2010 (32)
September 2010 (43)
August 2010 (46)
July 2010 (37)
June 2010 (46)
May 2010 (29)
April 2010 (38)
March 2010 (27)
February 2010 (33)
January 2010 (34)
December 2009 (13)
November 2009 (20)
October 2009 (29)
September 2009 (18)
August 2009 (29)
July 2009 (19)
June 2009 (18)
May 2009 (23)
April 2009 (16)
March 2009 (13)
February 2009 (20)
January 2009 (25)
December 2008 (25)
November 2008 (29)
October 2008 (34)
September 2008 (33)
August 2008 (36)
July 2008 (31)
June 2008 (25)
May 2008 (26)
April 2008 (33)
March 2008 (31)
February 2008 (24)
January 2008 (18)
December 2007 (27)
November 2007 (51)
October 2007 (24)
September 2007 (32)
August 2007 (24)
July 2007 (20)
June 2007 (28)
May 2007 (27)
April 2007 (24)
March 2007 (47)
February 2007 (21)
January 2007 (41)
December 2006 (21)
November 2006 (16)
October 2006 (24)
September 2006 (36)
August 2006 (30)
July 2006 (31)
June 2006 (37)
May 2006 (13)
April 2006 (13)
March 2006 (18)
February 2006 (20)
January 2006 (13)
December 2005 (6)
November 2005 (15)
October 2005 (15)
September 2005 (16)
August 2005 (7)
April 2005 (1)
March 2004 (4)
February 2004 (6)
January 2004 (1)
November 2003 (4)
October 2003 (22)
September 2003 (22)
August 2003 (15)
July 2003 (14)

Copyright 2014 by DNN Corp | Terms of Use | Privacy | Design by Parker Moore Design