Recently, a series of security vulnerabilities were reported that affect Carousel 7: CVE-2018-14573, CVE-2018-18929, CVE-2018-18930, and CVE-2018-18931.
In this article, we will review what customers can do to immediately mitigate the vulnerability on their servers, and announce a schedule for patch releases that implement these mitigations. This solution will disable a common workflow of uploading bulletin content directly. A suggested workaround, until the patches are released, is to upload the content as media and use that media in a template content block.
Affected Versions
- Carousel 7.0.0 - 7.0.10
- Carousel 7.1.0 - 7.1.1
- Carousel 7.2.0 - 7.2.2
- Carousel 7.3.0 - 7.3.6
- Carousel 7.4.0 - 7.4.3
Impact
Customers running the affected Carousel versions above are impacted if they have not changed the initial admin account password.
In this case, it is possible for an unauthorized user to log in using these credentials and upload a specially crafted bulletin package that can run arbitrary commands on the Carousel server.
Mitigation Steps
If you are running an affected version of Carousel, these steps must be performed on your Carousel server immediately.
- Carousel ships with a initial admin user account and password. If you have never changed that user account's password, do so immediately. This will reduce the chance that outside malicious actors can upload a malformed bulletin package to your server.
- Temporarily disable the ability for users to upload bulletins by removing the “Create - Uploaded Bulletin” and “Create - Interactive Bulletins” access rights from all roles listed in FrontDoor. This will prevent anyone from uploading malicious files to your server.
- Log in as a user with an administrator role.
- Click on the Gear icon next to your user name on the top right of the screen and select "FrontDoor".
- Edit the Carousel Roles under User Management.
- Edit each role in the list, and remove the rights to “Create - Uploaded Bulletin” and “Create - Interactive Bulletins”.
- After a patch release has been installed (see below for schedule), these rights can be added back to the needed roles.
This next step is optional, but recommended if you have access to modify configuration files on your server and are comfortable doing so.
-
Edit the
web.config
file in yourTRMS/Web/Carousel
directory and add the following block of markup just inside of the <system.webServer>
XML block.<handlers>
<clear />
<add name=
"StaticFile"
path=
"*"
verb=
"*"
modules=
"StaticFileModule,DefaultDocumentModule,DirectoryListingModule"
resourceType=
"Either"
requireAccess=
"Read"
/>
</handlers>
After adding the code above, the contents of the file should look similar to the screenshot below:
Patch Schedule
The following versions of Carousel contain resolutions to the CVEs listed above.
- Carousel 7.0.11
- Carousel 7.1.2
- Carousel 7.2.3
- Carousel 7.3.7
- Carousel 7.4.4
These releases will be available to all users by Feb 8th. This post will be updated when releases are available.