We are delighted to have another release of Security Analyzer module - version 8.1. The main purpose of this release is to protect websites from the recently published security vulnerability "2017-08 (Critical) Possible remote code execution on DNN sites". More details about the vulnerability can be found at our Security Center http://www.dnnsoftware.com/community/security/security-center.
2017-08 (Critical) Possible remote code execution on DNN sites
We applied the first fix to this issue in DNN and Evoq versions 9.1.1, however, upon further investigation, we discovered the need for additional tightening, which is why we are releasing an updated version of this tool with a complete fix for the problem.
This issue is a critical one, and goes back to several versions of DNN including version 5.0 and above. You are strongly advised to apply this immediately.
The tool supports DNN and Evoq versions 5.6.2 and above, including .Net Framework 3.5. Sites running DNN or Evoq versions 5.6.2 up until DNN or Evoq 9.1.1 must apply this tool immediately.
As always, it's best to install in a test environment prior to doing so in production.
We have made a few more updates to the tool also.
Telerik Security Detection
We are able to warn if Telerik security fix (also known as critical security fix June-2017) was not applied.
If you see the red X like the screenshot above, you must install the appropriate security patch along.
If your site is running version 7.1.2 to 9.1.0, you need to visit the Critical Security Update page and install the Security Analyzer.
If your site is running version 5.2 to 7.1.1, you need to visit the Critical Security Update for Older Versions page and install the Security Analyzer.
There are three checks done here:
- The Bin folder has the right version of Telerik.Web.UI.dll file in the Bin folder
- The web.config has an entry for Telerik.AsyncUpload.ConfigurationEncryptionKey
- The web.config has an entry for Telerik.Web.UI.DialogParametersEncryptionKey
The above two entries can be ANY value. Make sure it's longer than 64 characters. More details about the two keys can be found here: http://docs.telerik.com/devtools/aspnet-ajax/general-information/web-config-settings-overview
UPDATE (7/27/2017) - We have made a new release 8.1.1 of this tool. It now auto adds Telerik.Web.UI.DialogParametersEncryptionKey. The tool can be downloaded from the same location.
Security Analyzer uses a special module to perform its activities. In rare cases, a malicious user may disable that. The following confirmation message confirms that the security code is still in effect.
Disk Access Check
We have made slight tweaks in this area to ensure that there is no false positive reporting. However, per our research, we have found that the warnings noted in this check has mostly been very accurate.
More details on IIS App Pool identify can be found at the following resources:
Upgrades to newer version of DNN
With this version of the tool, you may encounter upgrade errors (shown above) while upgrading DNN or Evoq to versions prior to 9.0. The problem won't happen if you upgrade to any version 9.0 or above. Of course, we always recommend upgrading to the latest version of DNN or Evoq. The workaround is very simple. Simply uinstall this tool prior to upgrade, and install again after install.
More details about this problem can be found here: https://dnntracker.atlassian.net/browse/DNN-9428
The Installation package can be downloaded from here: https://github.com/DNNCommunity/SecurityAnalyzer/releases
Ensure to download the version with "Latest Release" tag.
Installation of this tool
Security Analyzer can be installed as any standard DNN extension. Please refer to this documentation for more details: http://www.dnnsoftware.com/docs/administrators/extensions/install-extension.html
This blog explains the general usage of Security Analayzer: Updates to Security Analyzer Tool
Please send an email to [email protected]
for questions related to security.
Alternatively, you may ask a question in the comments also.