DNN Community Blog

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


New Release of DNN Security Analyzer

We are delighted to have another release of Security Analyzer module - version 8.1. The main purpose of this release is to protect websites from the recently published security vulnerability "2017-08 (Critical) Possible remote code execution on DNN sites". More details about the vulnerability can be found at our Security Center http://www.dnnsoftware.com/community/security/security-center.

2017-08 (Critical) Possible remote code execution on DNN sites

We applied the first fix to this issue in DNN and Evoq versions 9.1.1, however, upon further investigation, we discovered the need for additional tightening, which is why we are releasing an updated version of this tool with a complete fix for the problem. This issue is a critical one, and goes back to several versions of DNN including version 5.0 and above. You are strongly advised to apply this immediately.

Supported Versions

The tool supports DNN and Evoq versions 5.6.2 and above, including .Net Framework 3.5. Sites running DNN or Evoq versions 5.6.2 up until DNN or Evoq 9.1.1 must apply this tool immediately. As always, it's best to install in a test environment prior to doing so in production.

Other Changes

We have made a few more updates to the tool also.

Telerik Security Detection


We are able to warn if Telerik security fix (also known as critical security fix June-2017) was not applied. If you see the red X like the screenshot above, you must install the appropriate security patch along. If your site is running version 7.1.2 to 9.1.0, you need to visit the Critical Security Update page and install the Security Analyzer. If your site is running version 5.2 to 7.1.1, you need to visit the Critical Security Update for Older Versions page and install the Security Analyzer.
There are three checks done here:
  • The Bin folder has the right version of Telerik.Web.UI.dll file in the Bin folder
  • The web.config has an entry for Telerik.AsyncUpload.ConfigurationEncryptionKey
  • The web.config has an entry for Telerik.Web.UI.DialogParametersEncryptionKey


The above two entries can be ANY value. Make sure it's longer than 64 characters. More details about the two keys can be found here: http://docs.telerik.com/devtools/aspnet-ajax/general-information/web-config-settings-overview

UPDATE (7/27/2017) - We have made a new release 8.1.1 of this tool. It now auto adds Telerik.Web.UI.DialogParametersEncryptionKey. The tool can be downloaded from the same location.

Security-Module Disabling-Detection


Security Analyzer uses a special module to perform its activities. In rare cases, a malicious user may disable that. The following confirmation message confirms that the security code is still in effect.

Disk Access Check

We have made slight tweaks in this area to ensure that there is no false positive reporting. However, per our research, we have found that the warnings noted in this check has mostly been very accurate.
More details on IIS App Pool identify can be found at the following resources:
https://www.youtube.com/watch?v=0tEojc_GU_A
https://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permissions
https://docs.microsoft.com/en-us/iis/manage/configuring-security/ensure-security-isolation-for-web-sites
https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/86127a66-dfd0-431b-b24e-84aee7e15fe1.mspx?mfr=true

Upgrades to newer version of DNN


With this version of the tool, you may encounter upgrade errors (shown above) while upgrading DNN or Evoq to versions prior to 9.0. The problem won't happen if you upgrade to any version 9.0 or above. Of course, we always recommend upgrading to the latest version of DNN or Evoq. The workaround is very simple. Simply uinstall this tool prior to upgrade, and install again after install.
More details about this problem can be found here: https://dnntracker.atlassian.net/browse/DNN-9428

Download

The Installation package can be downloaded from here: https://github.com/DNNCommunity/SecurityAnalyzer/releases
Ensure to download the version with "Latest Release" tag.

Installation of this tool

Security Analyzer can be installed as any standard DNN extension. Please refer to this documentation for more details: http://www.dnnsoftware.com/docs/administrators/extensions/install-extension.html

Previous Releases

This blog explains the general usage of Security Analayzer: Updates to Security Analyzer Tool

Additional Questions

Please send an email to [email protected] for questions related to security.
Alternatively, you may ask a question in the comments also.

 

Comments

There are currently no comments, be the first to post one.

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (15)
Alec Whittington (11)
Alex Shirley (10)
Andrew Nurse (30)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (29)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (209)
Chris Paterra (55)
Clinton Patterson (30)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (146)
Dave Buckner (2)
David Poindexter (3)
David Rodriguez (3)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (74)
Geoff Barlow (10)
George Alatrash (2)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (272)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matthias Schlomann (15)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (28)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Peter Donker (53)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott S (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (2)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (39)
Will Strohl (164)
William Severance (5)

Copyright 2017 by DNN Corp Terms of Use Privacy
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out