Security update 6 (Releases 8.02 SP5 to 9.20)
IMPORTANT: This security update applies to Ektron versions 8.02, 8.5, 8.6, 8.6.1, 8.7, 9.00, 9.10, and 9.20 including all service packs from 8.02 SP5 to 9.20. This security update replaces the one released on December 4, 2015.
Released: June 9, 2017
Securing your Ektron site is critical to you and to anyone using your site, data, and CMS. Failure to implement security measures can make your site vulnerable to cyber-attacks and other security threats.
You should install the security update to make Ektron as secure as possible. Download it from the Optimizely Knowledgebase (registration required; open the Security Updates folder and select SecurityUpdate6.exe or SecurityUpdate.zip).
Update 6
- EKTR-105 - Removal of deprecated file that contained an XSLT vulnerability.
Previous updates
- 23401 - Critical Security Vulnerability - Unauthenticated access and execution of unused pages in Workarea. A style sheet editing interface used for content authoring was exposed and allowed for write access to add and update style information used within the CMS. A malicious attack may involve write access to a specific CMS database table (also unused). This was addressed by deleting the
[site]\workarea\editoroptions
folder, which is not used by Ektron.We highly recommend that you read the release notes for the Security Update, then download it from the Ektron Customer Portal. The vulnerability exists in unused code that can be accessed by unauthenticated, malicious users. Once accessed, these pages allow the editing, deletion, and addition of style sheet information. As this feature is unused by Ektron, it is being removed as a safety precaution to prevent potential intrusion.
This vulnerability exists in versions 9.10, 9.10 SP1, and 9.10 SP2. It has been patched in the cumulative updates as of version 9.10 SP2 CU06.
Security Update 5 included the removal of the following folder and all folders and files contained within
[websiteroot]/workarea/editoroptions/
. To perform security Update 5 manually, delete that folder from your site. Contact Ektron Support with questions. -
23016 - Ektron CMS security vulnerability in workarea/contentdesigner/dictionaryconfigurator/dictionaryconfigurator.aspx. The vulnerability exists in unused code that can be accessed by un-authenticated, malicious users who manipulate session data and bypass authentication. Once accessed, these pages allow the editing, deletion and addition of spell check libraries. Since this feature is not used by Ektron CMS, it is being removed as a safety precaution to prevent intrusion.
Security Update 4 removes the following folder and all folders and files contained within:
[websiteroot]/workarea/contentdesigner/dictionaryconfigurator/*.*
To perform security Update 4 manually, delete the referenced folder from your site.
- Restricts access from only localhost to
Siteroot\WorkArea\webservices
,Workarea/services
, andSiteroot\WorkArea\ServerControlWS.asmx
.NOTE: The update installer restricts access to the local IP. If you are using a 3-Tier architecture, review and manually add the allowed presentation sites access to this IIS folder. See Securing Ektron in the Ektron Reference.
- Disallows script execution in
assets
,privateassets
,uploadedfiles
,uploadedimages
, andAssetManagement/dmdata folders
. - Updates the database to fix SQL injection issues.
- Determines whether the Admin and Builtin user account passwords are set to the default value. If they are, the security update recommends that you change them.
-
Applies fixes to security vulnerabilities to numerous Ektron site files, except when you run this utility again on the site or you have a custom (hotfix) dll.
- Critical security vulnerabilities are addressed within the Ektron CMS relating to potential arbitrary file upload and deletion by an unauthenticated user through
FileUploadHandler.ashx
andDeleteFileUploadHandler.ashx
. This security update removes both vulnerable files, which are not used within the Ektron CMS. You must run this update on each Ektron CMS site, including newly installed sites created from site setup. You also can manually remove the files from the following locations:/Workarea/FrameworkUI/handlers/Ektron/Controls/EktronUI/FileUploadHandler.ashx
/Workarea/FrameworkUI/handlers/Ektron/Controls/EktronUI/DeleteFileUploadHandler.ashx
- You can no longer add non-white-listed files.
- An improperly configured site had the potential for file execution from malicious source.
Upload.aspx
was vulnerable to attack.- XSLT ignores DTD
- XSLT allows remote code execution
- WebService disallows XSL methods
- User hash returned on password management page
- WebService only allowed access from localhost
- Locks services and WebServices, denying access
- Checks default accounts and passwords
- Disallows execution through IIS and web.config
- Integrates whitelist for uploaded files.
-
A vulnerability in workarea/contentdesigner/dictionaryconfigurator/dictionaryconfigurator.aspx file.
Yes. If the security update utility cannot complete any of the updates, a warning appears and no files will be affected. Contact Ektron Support.
The latest version of Ektron has the most recent security measures. If you cannot upgrade to the latest version, then Ektron strongly recommends that you get and install the most recent service pack for your base version. For information about installing and upgrading Ektron, see the Ektron Reference.
Best Practice
You should back up your sites and databases, then test this update in a test environment prior to running this update in your production environment. Because there may be differences between servers in your configuration, review any differences in detail.
Yes. You must run the security update after you upgrade your site.
No. You must run the security update again.
Yes. You will need to run the security update utility in all of the environments.
The security update utility updates all of the sites on a WebServer, including sites used in a multisite configuration.
No. The security update utility does not let you choose sites. You must run the security update for all sites. However, if you do not want to apply these security updates to some of your sites, temporarily move web.config
file out of site root before running the security update utility.
Yes. You must run the security update on the application layer and allow access to the /workarea/services/
folder from the presentation layer.
After successful completion, the utility displays a status page that lists the updates that the utility made to the sites on your system.
Yes. See Applying the security update manually .
- Amazon: Log in to Amazon VM and run the security update utility as you would for an on-premises site.
- Azure: Call Ektron support.
Yes. See Securing Ektron in the Ektron Reference and Best Practices for Securing Ektron CMS400.Net in the Ektron DevCenter.
NOTE: Each site and configuration may be different. Ektron recommends that you evaluate the needs of your site that fit your level of risk and security requirements following the OWASP "Top 10" list of most critical vulnerabilities.
Running the security update utility
- Copy
SecurityUpdate.exe
to your system and run it. - Click Next on first screen to uncompress the files.
The security update utility lists all Ektron sites on your system with versions between 8.02r and 9.10 SP2 in a dialog box with patch status.
- If the status is Patch 4 Installed, the site has been determined to have been updated.
- If the status says Patch 4 Not Installed, the site needs the updates contained in security update 4.
- Click Next to proceed with the update. (Canceling the update deletes the files it placed into the Security folder and aborts the installation.) The following actions occur.
- Restricts access from only localhost to
Siteroot\WorkArea\webservices
,Workarea/services
, andSiteroot\WorkArea\ServerControlWS.asmx
. - Disallows script execution in assets, privateassets, uploadedfiles, uploadedimages, and AssetManagement/dmdata folders.
- Updates the database to fix SQL injection issues.
- Determines whether the Admin and Builtin user account passwords are set to the default value. If they are, the security update recommends that you change them.
Applies fixes to security vulnerabilities to numerous Ektron site files, except when you run this utility again on the site or you have a custom (hotfix) dll.
- Restricts access from only localhost to
- Click Finish. A report shows a list of each site and changes made to it. The report is stored at
C:\Program Files\Ektron\SecurityUpdate\Results.html
.
Applying the security update manually
Prerequisite
Make sure there are no hot fixes applied to the site. Otherwise, start from step 7 and call customer support. If you are on versions 8.7 SP2, 9.00 SP1, 9.00 SP2, 9.10, or 9.10 SP2, start with step 7.
- Back up your site.
- Back up you database.
- Locate your CMS version and service pack number (if any) and write it down. You can find version numbers in
web.config
at eitherek_CMSVersion
orek_Version
. - Unpack the security update zip file and copy all files, except for database folder from under the version and SP number you found in step 3.
- Paste the files into the Web site root.
- Run the SQL script under the database folder.
- Change the admin username and password.
- Change the builtin username and password.
- Delete or lock any other Ektron default (such as jmember, jedit, and so on).
- Secure
workarea/webservices
andworkarea/services
. You can find an example at How To: Restrict access to a file or folder. -
Delete the ServerControlWS.asmx file from the Workarea folder.
Support
If you have a current maintenance agreement with Ektron, use Ektron Support for questions or issues. If you are evaluating Ektron for any other reason, contact Ektron Sales for direction and options for further assistance.