Today I'm taking a break from OCS (and Lync, and Exchange, and SBS…wow, did I fracture this blog too much?).
To bring you a warning.
As I may have mentioned before, we use and recommend the Sitefinity CMS for business websites. It's very reliable, easy to use, costs much less than other enterprise CMSes, and is built on Microsoft”s ASP.NET technology.
Recently however, a vulnerability in ASP.NET has been found.
Don't Panic! It's Hard to Exploit
Vulnerabilities are found all the time on the Web – that's nothing new. This one allows an attacker, if they have plenty of time, to hammer on a website until it cracks. And not just any crack – the vulnerability is located in a cryptography oracle. Meaning the attacker has to send data to the site, get a padding error,adjust the data and resend. Over and over…until he doesn't get a padding error.
Then he's able to decrypt the data he gets back,and gain access to the site.
I'm posting about it because it affects Sitefinity 3.7, the CMS version most of our clients use. (Sitefinity 4.0, still in beta, is not at risk.) We're alerting all our clients in fact, by publishing a blog post of our own about the vulnerability here:
However, since this is an ASP.NET error, any server running it & any application using it is potentially vulnerable. If that's you, then you're in need of a fix.
There's a Well-Documented Workaround and a Microsoft Patch Available
The blog post I just mentioned contains a workaround. Originally published by Scott Guthrie at his blog, it details a couple code changes that block the error messages attackers try to exploit.
Also, a Microsoft patch was just released today. The related security bulletin is here:
Microsoft Security Bulletin – Vulnerability in ASP.NET Could Allow Information Disclosure
It looks like most versions of Windows XP, Windows Server 2003 and 2008, and Windows 7 are affected. The patch is available in the Microsoft Download Center.
Whether you apply the workaround or the MS patch, back up the system being updated first! This is an important patch, and should work fine. But you never know!