The information on the latest update

Update - March 2020

This Security Bulletin includes an update regarding a previously disclosed Critical vulnerability (SC2019-002-312864) in Sitecore software, for which a fix was made available in March 2019. This vulnerability could allow an unauthenticated threat actor to inject malicious commands and code, thus compromising the security controls.

Recently, Sitecore has become aware of active exploitation of this Critical vulnerability. 

Sitecore strongly recommends that customers maintain their Sitecore environments on security-supported versions and apply fixes to Critical vulnerabilities without delay.

Sitecore therefore strongly advises that all customers on Sitecore versions 8.2 and below apply the Solution, detailed below, immediately. In the event that customers are unable to apply the Solution immediately, Sitecore suggests that customers immediately apply the Alternative Workaround in the interim and identify a way to apply the Solution as a priority.

Description

This article reports a Critical vulnerability (SC2019-002-312864) in Sitecore software, for which there is a fix available.

Critical vulnerability SC2019-002-312864 allows an unauthenticated threat actor to inject malicious commands and code, thus compromising the security controls.

We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all Sitecore systems. We also recommend that customers maintain their environments on security-supported versions and apply all available security fixes without delay.

If you would like to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates: KB1000489.

Severity Definitions

To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues: KB0608800

Versions

Versions affected

Vulnerability SC2019-002-312864 affects:

• Sitecore CMS 6.6.3 - Sitecore XP 8.2.7.

Vulnerability is applicable to all Sitecore instances running affected versions.

This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, etc.).

A hotfix is available for all supported Sitecore CMS/XP versions.

Versions not affected

• Sitecore XP versions 9.0.0 and later are not affected by this vulnerability.
• Sitecore xDB Cloud environments are not affected.

Solution

Hotfix installation

Apply the hotfix corresponding to your product version:

• Sitecore CMS 7.0: SC Hotfix 313001-1 AntiCsrf 1.0.0
  
• Sitecore CMS 7.1: SC Hotfix 313001-1 AntiCsrf 1.0.0
  
• Sitecore CMS 7.2: SC Hotfix 313001-1 Security.AntiCsrf 1.0.0
  
• Sitecore XP 7.5: SC Hotfix 313001-1 Security.AntiCsrf 1.0.0
  
• Sitecore XP 8.0: SC Hotfix 313001-1 Security.AntiCsrf 1.0.0
  
• Sitecore XP 8.1: SC Hotfix 313001-1 Security.AntiCsrf 1.0.0
  
• Sitecore XP 8.2: SC Hotfix 313001-1 Security.AntiCsrf 1.1.1
  

See the readme.txt file inside the archive for installation instructions.

Validation

To verify that the fix has been applied successfully, check the SHA256 hash of the "Sitecore.Security.AntiCsrf.dll" file in the \bin folder of your website. The hash should be the same as indicated below.

• Sitecore CMS 7.0: C024CA0081AD7D8422C0853CBC317931A3AFB36829A6301008328881EA353EFB
• Sitecore CMS 7.1: 2437673B92DCC039E32A991D20EAE26D92CFDF5F2E1D210210B2276A650C6448
• Sitecore CMS 7.2: 2632F8FDB050AA1C4990B0761EA7140EFD113BB4918BD0DFC1E4DEE4211BB23F
• Sitecore XP 7.5: 95AE0E6F2B0D30E01EFD74F079E44065BB0FFDD3A2BBE1321A7BCAB19709FA47
• Sitecore XP 8.0: A11400B37457248BC627D21B41E4A6580729B399A04ABFF4AC40E2352C0C4F24
• Sitecore XP 8.1: D39876450014147C4A2473926E02E71012E5F9891BBB5E3A725F1FD4811B71BA
• Sitecore XP 8.2: 15CD38FC41A3EE674B1B51EF21A09BABA1DA960C73E87A19EE1BC63128A6D533

The SHA256 hash of the assembly can be generated using Windows PowerShell command Get-FileHash:

Get-FileHash "{path to the \bin folder}\Sitecore.Security.AntiCsrf.dll" -Algorithm SHA256 | Format-List

Alternative Workaround

If a full solution cannot be applied right away, the following temporary workaround can be used on all affected Sitecore instances to secure them from the vulnerability.

To temporarily address the vulnerability, deny access to the \Website\sitecore\shell folder on all Sitecore instances in all your Sitecore environments.

1. Go to your Sitecore web application in the Internet Information Services (IIS) Manager application.
2. Select \sitecore\shell folder.
3. Click the .NET Authorization Rules:
   
   
4. Click Add Deny Rule… in the Actions panel:
   
5. Select All users and OK:
   

Note: Upon implementing this workaround, content editing functionality will not be available in your Sitecore environments.

If content editing functionality cannot be temporarily disabled, as an alternative, it is possible to configure IP-based security restrictions for \Website\sitecore\shell folder to block all access for external users and only allow access from trusted IP addresses that malicious actor is not able to use. For instructions on how to configure IP-based security restrictions, see http://www.iis.net/ConfigReference/system.webServer/security/ipSecurity.

History of updates

• 01-Mar-2019: Article published.
• 30-Mar-2020: New section "Update - March 2020" added.
• 06-May-2020: Hotfix validation instructions have been updated to list SHA256 has codes for Sitecore.Security.AntiCsrf.dll file. The hotfix package remains the same and your installation remains secure in case the hotfix has already been applied.
• 01-Jul-2021: changed a broken link in "Security Bulletins RSS Feed" to KB1000489, made minor changes in styling.