Hi, we have recently upgraded a site to 126.96.36.199 in an effort to close a potential security issue we were made aware of from our security company, however in a scan of our site yesterday, they're suggesting the issue still exists.
Can someone please confirm if we need to do anything about the following. Please note, this site is an upgrade from 8.0.0 or earlier, however I've checked the telerik versions in use and they're the same as sites running clean installs of DNN 9.1+ from what I can see:
The security report noted:
4.1. Telerik UI Component Cryptographic Security Bypass
The vulnerability scanning detected the existence of a Telerik UI Component, that may be vulnerable to a security issue that can be exploited to the disclosure of server encryption keys.
Telerik.Web.UI.dll in fails to properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
Knowledge of these keys in web applications using Telerik UI for ASP.NET AJAX components can lead to:
▪ cross-site-scripting (XSS) attacks
▪ leaking of MachineKey
▪ compromise of the ASP.NET ViewState
▪ arbitrary file uploads/downloads
The component was detected via the following URL, however the web.config server configuration file should be reviewed to identify all locations of the Telerik controls.
It may be possible for a remote unauthenticated attacker to exploit a weakness in this component which will disclose encryption secrets. With knowledge of these secrets it is then possible to generated further valid requests which can be used to execute other attacks including the possibility of arbitrary uploading and downloading of files.
To address this issue, Insomnia Security recommends the following:
▪ Ensure the appropriate patch update from Telerik has been applied.
As this issue was detected remotely, it is possible that this issue has already been patched. Insomnia Security should be notified of the status of this issue for clarification in future reports.
Note: am I reading this wrong, and the issue lies with the old Radeditor, which should no longer be in use, vs the telerik dll's in the bin folder?
Any help is appreciated.