*** PLEASE READ CAREFULLY AND APPLY THE PATCH IMMEDIATELY ***
Telerik recently announced three security issues - CVE-2017-11317, CVE-2017-11357 and CVE-2014-2217 in Telerik.Web.UI.Dll assembly. The purpose of this blog is to provide a DNN specific patch as well as additional details about the issue. The blog is written in FAQ format for ease of reading.
Where can I find more details about the two Telerik security issues?
1. CVE-2017-11317 https://www.cvedetails.com/cve/CVE-2017-11357/
http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/unrestricted-file-upload
2. CVE-2017-11357 https://www.cvedetails.com/cve/CVE-2017-11317/
http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/insecure-direct-object-reference
3. CVE-2014-2217 https://www.cvedetails.com/cve/CVE-2014-2217/
Do you have additional details about this issue?
We do not have any more details beyond what's publicly available in the above links.
How can we protect from this issue?
We are issuing a security hot fix to solve this. The hot fix is a simple DNN extension and can be installed as any other DNN extension. In addition, we also recommend that you download the latest security analyzer. Here are DOWNLOAD the links:
Any suggestions on installation instructions?
Yes. The patch is larger than 12 MB. The installer may not allow you to upload large files in older versions of DNN. You should either manually upload the extension to Website\Install\Module folder and use "Available Extensions" options under Host > Extensions to install it. Or, you can follow the instructions here to increase the upload size limit.
Additionally, you may run into installation error around the Telerik.Web.UI.Dll file being 'in use'. It's best to restart the application pool right before installation.
What if the installation fails?
Ideally you should retry. If it fails all the time, then you should unzip the installation zip file, and copy the Telerik DLLs into the Bin folder of your site. The zip file contains another Resources.zip file containing the Telerik DLLs.
Should I backup my site first?
Absolutely. You should backup both the website folder as well as the SQL database first. Additionally, you may want to run this in a test environment first.
Do I need to add the patch (module) to a page after installation?
No. All you need to do is install. No more action is needed. You may want to verify that it's installed by looking at the Extensions area:
What exactly does the patch do?
It updates Telerik.Web.UI.Dll and Telerik.Web.UI.Skins.dll in the site's bin folder. It also copies DNNSecurityHotFix20171.dll in the Bin folder.
How can I be sure that patch is indeed installed?
Go into the Bin folder using windows explorer, right-click and verify the file size and version numbers for Telerik.Web.UI.Dll file.
.Net 4.0 and above - the file size should be 19,092,992 bytes and version should be 2013.2.717.40
.Net 3.5 - the file size should be 19,039,744 bytes and version should be 2013.2.717.35
The image below is for .Net 4.0 and above version:
Is this security patch related to the one released in June 2017?
It's built on top of the June 2017 security hot fix.
I already have June 2017 security hot fix, do I need this one?
Yes. You should still apply this one. The June 2017 had a version number of 1.0.1, the new one is 1.2.0.
I did not apply June 2017 security fix, should I apply that first?
No. The new patch contains June 2017 security fixes as well.
I have already applied latest security fixes from Telerik itself? Do I need to install this as well?
It's your choice. The direct DLL from Telerik does not contain DNN specific customization included in DNN's version of such DLLs. As such, we do not support you applying those DLLs directly from Telerik. You may run into compatibility issues.
What version of Telerik DLLs you are shipping? Are they older than that of latest Telerik?
Per the time of writing, the latest version of Telerik's version of DLLs are: 2017.2.711. The DNN's version of such DLLs are: 2013.2.717. As you can see DNN's version is close to 4 years behind.
What's the long term vision of such DLLs in DNN?
We intend to completely remove use of Telerik in future releases of DNN. If your modules depend on Telerik, then you should plan on using different technologies.
What versions of DNN are affected by this vulnerability?
Per The Telerik documentation, the vulnerabilities existed since Telerik versions from 2011.1.315 to 2017.2.621. Our records indicate that we started using Telerik version 2011.1.519.35 since DNN 5.6.3. Since we do not know much about the vulnerabilities as such, we believe this vulnerability affects DNN 5.6.3 and above.
I am not using Telerik at all, can I skip this fix?
Only a handful of newer versions of Evoq does not contain any Telerik, in which case you can skip this fix. However, it's best to check your Bin folder for presence of Telerik.Web.UI.Dll file. If it's there then you should definitely apply this fix.
I use CK Editor, do I still need to apply this fix?
Yes. As long as you have Telerik.Web.UI.Dll in your Bin folder, you should apply this.
What versions of DNN are supported with this fix?
The .Net 4.0 version of the fix can be applied on DNN / Evoq versions 7.1.2 and above. You may install them on older versions of DNN / Evoq as well, but you may run into compatibility issues. We always recommend you to update DNN to the newer versions to remain protected from other known security issues. Please visit our Security Center to find out other known version specific vulnerabilities.
The .Net 3.5 version can be applied on pre 7.0.0. However, you may have compatibility issues. It's best to upgrade DNN / Evoq to a newer version - at least 7.1.2 or above.
The June 2017 fix had some side affects, have they been fixed?
The June 2017 fix had a side affect that it restricted file uploads from Rad Editor to a handful few only. Adding of new file extension often resulted in "Cannot deserialize dialog parameters. Please refresh the editor page" error.
Now you may upload other file extensions also by going through the steps below. The example is trying to add mp4 as a new extension in the system.
1. Include the new extension under Allowable File Extensions under Host > Host Settings > Other Settings in pre 9.0 or Persona Bar > Settings > Security > More > More Security Settings in 9.0 or above
2. Include the new extension under Document Manager Settings under Host > Html Editor Manager > DotNetNuke.RadEditorProvider > Everyone node in pre 9.0 or Persona Bar > Settings > Site Settings > Site Behavior > More > Html Editor Manager
3. Add an entry "Dnn.Telerik.Upload.AdditionalWhiteListExt" in web.config. More extensions can be added with comma in between them, e.g. mp4,.mov
One needs to be careful with mime settings while supplying arbitrary file extensions such as .xyz or .abc. You may still upload those, but you may not be able to download them via browser. Known good file extensions should not have any problems in downloading via browser.
Can someone upload a malicious file, e.g. .aspx or .asp using this setting?
No.
Are you releasing anything else as part of fix?
Yes, we made one minor change in the Security Analyzer to properly warn you whether you have the right version of Telerik DLL applied or not. It has a few more updates as well. You should download the latest version (8.1.3 as of this writing) of Security Analyzer.
The Security Analyzer within Persona Bar still shows that Telerik is not patched. Is that expected?
Starting DNN 9.0, we have also been shipping security analyzer as part of Persona Bar itself. This is different from the standalone Security Analyzer we just mentioned above. The security analyzer within Persona Bar will continue to indicate that you are not patched. It will get resolved in the next release of DNN / Evoq. Here is what you will still get in the Persona Bar:
What should I see in the stand alone Security Analyzer
Hopefully, if everything is done right, you should see the following screen with message: "Telerik Component already patched."
Is it possible that my site has already been compromised?
We recommend the above Security Analyzer to check if your site has been compromised. Evoq customers may contact customer support for more details.