2sxc rarely has security issues, and none have ever been seen as exploited. But things can go wrong, and something has gone wrong which you should be aware of.
The good news is - this is our second security notification in 12 years 🌟.
The bad news is - this is a security notification 😲.
TL;DR Summary 2024-001
1. Please Update to latest LTS
The key takeaway is that version 11-17 of 2sxc have a security issue. You should really update to the latest LTS - at the time of writing this is v17.09. You'll find a direct link in the download section.
2. Upgrade Process and Time Estimates
In most cases an upgrade can be completed in 5-15 minutes. But we recommend that you run an upgrade on a copy before upgrading your live environment, so depending on your setup it will take you longer to get a copy running for upgrade testing.
As upgrades have been very smooth since 2sxc v9, we don't expect any problems. If you are concerned, please read the release history and especially breaking changes.
Note that our estimate time is pure developer time. If you need to make a customer quote you should use a much higher estimate for PM and overhead.
Security Notice 2024-001
2sxc uses third party platforms, frameworks, libraries. From the .net Framework to Dnn and Oqtane, Razor-Blade, Angular and other JS libraries, Entity-Framework - you name it.
A few month ago a security hole was detected in one of our dependencies which led us to make some changes so that we are not affected.
Everybody will usually want to know as much as possible to make a decision upgrade or not, yet the more we disclose, the more likely it would become that people would abuse it. To protect the thousands of installations out there, we will not disclose which dependency was effected or how we closed the hole.
What is it?
It's a small issue - which a skilled attacker maybe could abuse.
Our understanding of the issue is that:
- It is extremely difficult to exploit (CVE Score around 3), but has been exploited for years by highly sophisticated attackers (think governments and similar).
- We can think of ways it could affect your server and/or your customers.
- To abuse it, the attacker would probably need to explicitly target you. With our current knowledge, we cannot imagine a try-all-installations-for-this attack.
- Abusing this hole could possibly help an attacker crash something (think system or subsystem of a server or browser)
- It is extremely hard to use the attack to usefully run own code, or access any other data, but it is rumored to have been used by Pegasus.
- As of now, we believe the attacker would need to be able to upload files to your system, which limits who could attack you. But remember that every registered user can upload files (this has already allowed certain attacks in the past, such as the Managed.com meltdown).
To be clear: the CVE score of this security hole is around 9 (red), which is HIGH. But it is also extremely difficult to exploit (ca. 3 - green). Our understanding is that the score is so high, because the affected technology is used in just about every device and server. Our understanding is that many devices have already become immune to the bug, so our main concern is protecting the server.
Affected Versions
Non-Affected Versions or Mitigating Circumstances
- 2sxc releases before v11 are not affected by this issue, but must be regarded as insecure for other reasons such as our 2021-001 notice and the fact that it must be running on a very old DNN which itself is not secure.
- If your DNN is not accessible on the internet (pure intranet use) it is not affected
- If only trusted users can upload files (careful: every registered user can upload files) you are probably ok.
- As of May 2024 we have no reports of this issue being abused on Dnn, Oqtane or 2sxc
Stay Safe!
Love from Switzerland,
Daniel
PS: Don't panic 😉. This issue has never been abused as far as we know. But we take security really serious, which is why we're communicating this so strongly.