Asp.Net Vulnerability - Security Patch
A vulnerability in Microsoft ASP.Net framework is a immediate security concern for Secret Server customers. The vulnerability allows hackers to access the file system as well as potentially retrieve encrypted ViewState data.
For more details on this vulnerability see the following Microsoft Security Advisory: http://www.microsoft.com/technet/security/advisory/2416728.mspx
Secret Server Security Patch - Work Around
The workaround until the vulnerability is patched by Microsoft is to redirect all exceptions to a consistent error page preventing the potential security breach. The Secret Server patch will update the web.config for these settings and add a new CustomError page that details why the exceptions cannot be shown to the user. We recommend applying the patch immediately to limit exposure to potential security threats.
Update 4:55 PM - 7.1.000001 is now available. This upgrade contains the changes needed to fix the ASP.NET vulnerability. We recommend upgrading immediately. If you do not have support, or do not want to upgrade, you may follow the steps below.
Patch: SecretServerAspNetPatch.zip (Updated 2:20 PM)
Applying the Patch
- Extract the contents of the SecretServerAspNetPatch.zip.
- Backup the current web.config file under your application folder
- Copy and override the web.config file from the extracted SecretServerAspNetPatch.zip folder
- Copy the CustomError.aspx page into the application folder (same folder that the web.config is in)
- Copy and override the /webservice/web.config and the /winauthwebservices/web.config files from the extracted SecretServerAspNetPatch.zip folder
- Test your Secret Server instance is working
- including login
- copy to clipboard on the SecretView page
- RDP Launcher
- See below for testing the vulnerability is patched
Ensuring the Vulnerability is No Longer Present
- Navigate to your Secret Server application
- Log in and get to the Home screen
- Replace Home.aspx in the URL with DoesNotExist.aspx
- You should see a generic error page that does not contain the specific error message of 404
- Verify that the System Log contains an entry detailing the Exception.
Please contact support for questions and help in applying the patch.