The past week has been a bit hectic in the DotNetNuke/Evoq space. Four confirmed security vulnerabilities were identified that could impact existing installations, one last week and three this week. Sadly, many sites have already been exploited by these vulnerabilities, adding a bit more urgency to the situation. Although many people are aware of the situation we have found that not everyone knows what is going on, so we thought it would be prudent to share what we know about the situation. This information is being shared both on Mitchel's Technical Blog as well as our corporate website.
Revision from Initial Posting
The original version of this article detailed specific alternative mitigation procedures to address these vulnerabilities. Even though these mitigation procedures have been widely distributed within the DNN community via email and other means, after consultation with other DNN experts and leaders, it was decided that we needed to take a different approach to disseminate the information.
We have elected to discuss that there is an option. However, we don't want to disclose in an open forum. If you are in a situation where the primary option listed below is not an option, please reach out to us, and we will gladly, privately share the mitigation steps. Our primary concern is to make people aware while balancing the amount and method of information disclosure as to not inadvertently share information that could be used for nefarious purposes.
We hate to start any post with this. However, we feel it is essential in this situation. It is our desire to provide the best information possible. What we are sharing here is an aggregation of the various communications that have been received, our experiences in the community, and what we have witnessed from fixing exploited websites. This information is provided without any warranty or guarantee for any purpose.
Information herein was obtained from the DNN Software websites, individual module vendors, the DNN Store, as well as a few other communication channels. We strongly recommend that users subscribe to any newsletter options for module vendors in use, as it is a great communication channel in these types of events.
The Exploits & Patches
In total, we are aware of four new exploits that have been announced in detail, since 6/22/2017. Below we will review each of the known exploits and discuss who is impacted, how to mitigate, and next steps.
DNN Security Issue
The first problem was identified, and a patch released on June 21st. DotNetNuke Corporation published a detailed post outlining who was impacted and how to install a patch. Their blog post provides a bit more than our summary, but the key points are below.
Who is Impacted
All installations of DotNetNuke, or Evoq, from 5.2.0 and later are impacted. Including the most current version public released version.
DNN 7.1.2 & Later Mitigation: Security Patch
The DotNetNuke provided patch provides a mitigation for those with websites running 7.1.2 and later. For users on these versions of DNN, we recommend taking a backup of the site, including the database and then applying the security patch. We have patched more than 75 installations, with only two installations having issues. Those with issues had third-party solutions developed that used a different version of Telerik than the default DNN version. If you can install this patch, you are good to go with no further action needed.
Pre-DNN 7.1.2 Mitigation
For those working with a website that is older than DNN version 7.1.2, there is no published patch or approved workaround available. The recommended solution for these installations is to upgrade to at least version 7.1.2 and apply the patch. However, if you do this, other prior exposed security issues might be a concern. We recommend working with someone that has experience in the DNN system to ensure that a secure upgrade path is decided.
DNN GO Security Issue
Earlier this week an email communication was sent from the DNN Store highlighting a security issue that impacted some modules created by the vendor DNN Go. This email noted that all DNN Go modules were removed from the store and that they were working with the module vendor to mitigate. Earlier this afternoon a follow-up email was sent from DNN Store announcing that patches were available, however, also noting that their modules are still not available in the store.
Who Is Impacted
Given that this vulnerability impacts only those with DNN GO modules installed it is a lower number of impacted sites. However, we have found that not all site owners know which third-party modules are in use. The best way to ensure that you are not vulnerable is to log in and view the "Extensions" page within DNN. If you see any module name listed with "DNN GO" as the start of the name, you are vulnerable.
For those that only received the first email, it had been noted that the best course of action was complete removal of the module. Although a viable solution, that solution would cause data loss, functionality change, and other negative impacts.
Mitigation DNN Go Released Upgrades
Based on the communication received today, DNN Go has released updated modules and made them available via their website. These updated modules have a fix applied based on that communication.
Simply ensure that you have a backup of your site, and then install the upgraded version for any of the modules that you have installed. Again, using the "Extensions" page to see what you have installed. Be careful NOT to install any new modules that you don't already have.
If there is a limitation preventing the installation of the patched modules, it is possible to mitigate the vulnerability with manual changes. This should be considered a temporary solution only, but might be necessary if running an older version of DNN or an older version of the DNN Go solutions. For security purposes we are not posting these steps online, however, if you need a manual workaround, please email us, and we will share the detail.
The third vulnerability identified was a subset of modules created by the company Mandeeps.
Who is Impacted (Updated 7/7/2017)
You are impacted if you are using one of the following modules with a version number less than the number listed below. This information has been updated on 7.7.2017 based on information provided by the DNN Store and Mandeeps. If you have previously updated, please be sure that your final version is the one listed below.
- Live Campaign 3.9.7
- Live Content 6.1.0
- Live Forms 4.3.2
- Live Helpdesk 1.3.5
- Live Utilities 1.1.2
- Common Library 2.1.8
- Porto 3.3.1 (Porto 1 & 2 NOT impacted)
As mentioned in the DNN Go listing, if you need to verify the use of these modules you can use the "Extensions" page to check.
Mitigation Option: Upgrade Modules
The simplest action, if you are vulnerable, is to upgrade the impacted module to the version number listed above. It is important to note that with any upgrade, DNN or Extension, you want to be sure to test this upgrade. It is possible that new features were added, or breaking changes introduced. As such, this is an action that shouldn't be taken without extensive testing and validation. I would NOT upgrade a production site without validating the upgrade first in a test environment.
Please note that you need to be on DNN Version 7.3.0 and later to install the latest modules based on release information provided by Mandeeps. .
Temporary Mitigation then Upgrade
If you are unable to upgrade the modules, for example, due to breaking changes, or DNN Version, it is possible to temporarily mitigate the risk while you manage the upgrade process. This mitigation will allow most public facing features to work still but will limit, or prohibit, your ability to administer the modules. These mitigation details were included in the DNN Store emails and we can provide these on request to any affected party.
EasyDNN News Module
The final security vulnerability was found with the EasyDNN News module. This item was identified and communicated the afternoon of 6/30, and sent to a subset of users from the DNN Store.
Who Is Impacted
This vulnerability only impacts the EasyDNN News module. Although this vendor has more modules, it is the only one impacted. Based on the communication, version 6.3 and later of EasyDNN News are impacated and need to be patched.
Mitigation via Upgrade
For those that have purchased the module through the DNN Store a new version should be available for download and installation. This version is 8.6.2. Installing this module version will mitigate the issue. As with the other items, be sure to take proper backups and test before deploying.
Mitigation via Patch
For those unable to fix the issue via the version upgrade for any reason, a security patch was released. This patch "EDS_News_security_patch_29062017.zip" may be downloaded directly from EasyDNN. Installing this patch will mitigate the issue and no further action is necessary.
Next Steps: Validate Site Integrity
After you have ensured the security of your installation. You will want to look for any files that may have been uploaded that are not what you expect. The DNN Security Analyzer is also a great utility to help you find any potential uploaded file that doesn't match expectations.
We hope that this information helps you work through any issues or concerns that you might have. Staying up-to-date with any module version, or DNN version will help to mitigate any issues in the future. Feel free to share any questions, comments, concerns below.