It is hard to believe that it has been a month already since my last post about DNN/Evoq Security. A lot has transpired since that last release. Some additional security releases and patches have come out. In the end, we are at a time where I believe we are past the storm, but I thought it would be good to revisit the recommended actions for users. (For those non-DNN/Evoq followers of this blog, hang tight, next week will be the start of lots of fun Entity Framework, .NET Core and similar content!)
Recommended Actions
With all of the information from the past few weeks, the general recommendation is quite simple. Your best course of action for ANY DotNetNuke or Evoq based website is to upgrade to version 9.1.1. Upgrading to 9.1.1 will ensure that you get the latest security fixes across the platform, and there have a been a number of them in the past few years. You can view all of the fixed items that apply to your current installation version by visiting the Security Center.
It should be noted, however, that just upgrading to Version 9.1.1 is not all that you need to do, but it is the first step. In addition to upgrading to 9.1.1, you will want to take the following steps. NOTE: These steps apply to ALL Users of 9.1.1, and should be made as soon as possible if not yet done.
Update Security Analyzer
On July 25th DNN Software released a new version of Security Analyzer. Per the information included in the blog posting, this release was made primarily to deploy a mitigation for a particular identified security vulnerability. This release of Security Analyzer can be installed on DNN 5.6.2 and later. It is important to note that this version is LATER than any version that might be installed to an existing 9.1.1 installation and does need to be installed to any 9.1.1 installation.
Update All Third-Party Modules
I will not rehash all of the specific vendor items; however, it should be considered part of any regular upgrade also to update third-party solutions to their latest versions. This is especially important if you have any modules from vendors that have published fixes for security-related issues including modules from; DNN Sharp, Mandeeps, EasyDNN, and DNN Go at a minimum.
But I Can't Upgrade Because of _____
If you are in a situation where you cannot upgrade, you can still take steps to protect yourself. However, the best long-term recommendation is to get the website to a situation where you can upgrade. The Security Analyzer will show just how many different issues impact your particular version of DNN/Evoq.
If you are stuck at a version, it is important to install the Security Analyzer patch, the Telerik Patch from last month, and any third party patches possible. However, just because you take these steps you are NOT out of the woods, you have just applied fixes for some of the major vulnerabilities.
Watch Interim Upgrades
If you are stuck on an older version and contemplating an upgrade to an intermediate version. Such as going from 6.x to 7.4.x, be sure that you reapply any mitigation's that you might have done in the past for other issues. Such as the removal of the InstallWizard and UpgradeWizard files that many people completed in 2016. As when you upgrade these files may be reintroduced if you are not going to the version where the final patch was applied.
What Else Can We Do To Protect
Continuing to remain up-to-date is a great first step in keeping your environment secure. Additionally, you will want to review and resolve any Security Analyzer errors that may appear. Additionally, I have published a number of security White Papers that go into additional steps to secure installations including permissions and related issues.
Parting Notes
If there is anything to be learned from the past few weeks is a reminder of the importance of regular upgrades and maintenance. We make a decision as to which version we are running and when to upgrade. Eventually, though it can be time to face the music and upgrade.