Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


New Release of DNN Security Analyzer

We are delighted to have another release of Security Analyzer module - version 8.1. The main purpose of this release is to protect websites from the recently published security vulnerability "2017-08 (Critical) Possible remote code execution on DNN sites". More details about the vulnerability can be found at our Security Center https://www.dnnsoftware.com/community/security/security-center.

2017-08 (Critical) Possible remote code execution on DNN sites

We applied the first fix to this issue in DNN and Evoq versions 9.1.1, however, upon further investigation, we discovered the need for additional tightening, which is why we are releasing an updated version of this tool with a complete fix for the problem. This issue is a critical one, and goes back to several versions of DNN including version 5.0 and above. You are strongly advised to apply this immediately.

Supported Versions

The tool supports DNN and Evoq versions 5.6.2 and above, including .Net Framework 3.5. Sites running DNN or Evoq versions 5.6.2 up until DNN or Evoq 9.1.1 must apply this tool immediately. As always, it's best to install in a test environment prior to doing so in production.

Other Changes

We have made a few more updates to the tool also.

Telerik Security Detection


We are able to warn if Telerik security fix (also known as critical security fix June-2017) was not applied. If you see the red X like the screenshot above, you must install the appropriate security patch along. If your site is running version 7.1.2 to 9.1.0, you need to visit the Critical Security Update page and install the Security Analyzer. If your site is running version 5.2 to 7.1.1, you need to visit the Critical Security Update for Older Versions page and install the Security Analyzer.
There are three checks done here:
  • The Bin folder has the right version of Telerik.Web.UI.dll file in the Bin folder
  • The web.config has an entry for Telerik.AsyncUpload.ConfigurationEncryptionKey
  • The web.config has an entry for Telerik.Web.UI.DialogParametersEncryptionKey


The above two entries can be ANY value. Make sure it's longer than 64 characters. More details about the two keys can be found here: http://docs.telerik.com/devtools/aspnet-ajax/general-information/web-config-settings-overview

UPDATE (7/27/2017) - We have made a new release 8.1.1 of this tool. It now auto adds Telerik.Web.UI.DialogParametersEncryptionKey. The tool can be downloaded from the same location.

Security-Module Disabling-Detection


Security Analyzer uses a special module to perform its activities. In rare cases, a malicious user may disable that. The following confirmation message confirms that the security code is still in effect.

Disk Access Check

We have made slight tweaks in this area to ensure that there is no false positive reporting. However, per our research, we have found that the warnings noted in this check has mostly been very accurate.
More details on IIS App Pool identify can be found at the following resources:
https://www.youtube.com/watch?v=0tEojc_GU_A
https://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permissions
https://docs.microsoft.com/en-us/iis/manage/configuring-security/ensure-security-isolation-for-web-sites
https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/86127a66-dfd0-431b-b24e-84aee7e15fe1.mspx?mfr=true

Upgrades to newer version of DNN


With this version of the tool, you may encounter upgrade errors (shown above) while upgrading DNN or Evoq to versions prior to 9.0. The problem won't happen if you upgrade to any version 9.0 or above. Of course, we always recommend upgrading to the latest version of DNN or Evoq. The workaround is very simple. Simply uinstall this tool prior to upgrade, and install again after install.
More details about this problem can be found here: https://dnntracker.atlassian.net/browse/DNN-9428

Download

The Installation package can be downloaded from here: https://github.com/DNNCommunity/SecurityAnalyzer/releases
Ensure to download the version with "Latest Release" tag.

Installation of this tool

Security Analyzer can be installed as any standard DNN extension. Please refer to this documentation for more details: https://www.dnnsoftware.com/docs/administrators/extensions/install-extension.html

Previous Releases

This blog explains the general usage of Security Analayzer: Updates to Security Analyzer Tool

Additional Questions

Please send an email to security@dnnsoftware.com for questions related to security.
Alternatively, you may ask a question in the comments also.

 

  • Published:

Comments

Ray Michaud
Hi, I downloaded the latest Security Analyzer file from Git Hub (v 08.01.00) and installed it through the extension wizard. I got a success message. I re-started my website. I ran the Security Analyzer and still got the Check Telerik Vulnerability critical message. It is immediately followed by the Check Security Analyzer Http Module with a green check. Does this mean I am all set? My information security officer isn't convinced.
Ray Michaud Wednesday, July 26, 2017 5:41 PM (link)
TPPerlman
Thank you for the further support on these vulnerabilities. I had previously updated 40+ DNN installations with the June 2017 Security Hotfix v1.0.1, but when I installed the latest version of the Security Analyzer v8.1 I was getting the following error on 99% of my DNN v8x installations:

--------------------------------------------------------------------------------
PURPOSE OF THE CHECK:
CheckTelerikVulnerability : Check if Telerik component has vulnerability.

RESULT:
The Telerik component vulnerability has not been patched, please go to http://www.dnnsoftware.com/services/customer-support/success-network/security-fix-june-2017 for detailed information. You also can download a patch from that page or directly from http://dnn.ly/SecurityFix201701 and apply it.

NOTES:
App Setting "Telerik.Web.UI.DialogParametersEncryptionKey" doesn't exist in web.config.

--------------------------------------------------------------------------------

In order to fix this, I manually added the following key:


...



For the [ENCRYPTIONKEY] above, I used a different random password generator with an alphanumeric length of 128 characters for each site. Once I did that, the error went away.
TPPerlman Wednesday, July 26, 2017 7:35 PM (link)

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out