Overview

The Telerik Component present in older versions of DNN has a series of known vulnerabilities. Some of these were covered by a 2017 security update blog article by DNNCorp, and others have been uncovered since.

The original patch covered CVE-2017-11317, CVE-2017-11357, CVE-2014-2217, and CVE-2017-9248. These can be fixed using the patch in our blog post and will be the focus of this article.

Other known Telerik vulnerabilities (such as CVE-2019-018935) may require patching Evoq to a newer version. There may also be an official fix from Telerik. The DNN Security Center will be your primary reference for DNN Evoq security vulnerabilities and how to fix them.

This article will cover applying the security fixes in the blog post, but be sure to check the DNN Security Center to see what other fixes may be needed.

 

Prerequisites

• DNN/Evoq versions 5.2.0 up to 9.6.0
• Access to a SuperUser account

 

Solution

NOTE: Evoq has moved away from Telerik in version 9.1 and it is no longer supported. You should be transitioning off of utilizing Telerik in this version.

The information on the security patches that are available for Telerik that don't force a DNN upgrade are located in this security blog post. You can directly download the patches from the following links:

• Download Security Hot Fix for .Net 4.0 and above
• Download Security Hot Fix for .Net 3.5

Please use the instructions in Installing an Extension to apply the downloaded hotfix.

The .Net 4.0 version of the fix can be applied on DNN / Evoq versions 7.1.2 and above. You may install them on older versions of DNN / Evoq as well, but you may run into compatibility issues. We always recommend you to update DNN to the newer versions to remain protected from other known security issues. Please visit our Security Center to find out other known version-specific vulnerabilities.

The .Net 3.5 version can be applied on pre 7.0.0. However, you may have compatibility issues. It's best to upgrade DNN / Evoq to a newer version - at least 7.1.2 or above.

You can upgrade to the latest versions of the Products - DNN Platform 9.1.1, EVOQ 9.1.1 or to the latest version to fix this issue permanently.

 

If you would like to continue using Telerik modules past DNN 9.2, you must follow the below steps

1. Download the attached DotNetNuke.Web.Deprecated.dll file. 
   
2. Copy the file into the <WebsiteRootDirectory>/bin directory of your server.
3. Validate that Telerik is now running by checking the dependent modules and extensions. If successful, they should all be working as intended. 

If you do not wish to use the Telerik modules past DNN 9.2, follow these steps instead:

Note: If there are any modules or components that are dependent on the Telerik components, then those functionalities will break, potentially breaking the whole site. You will need to remove those modules and functionalities prior to removing the .dll files.

1. Create a backup of the web.config file.
2. Remove the corresponding references to the telerik .dll files within the web.config in order to avoid assembly binding related errors.
3. To remove the references, search for "telerik" in the file and then remove any assembly bindings and <key, value> pairs from the file.
4. If the site or any functionality breaks, then there are extensions that depend on the Telerik components. In this case, restore the .dll and web.config backups.

Some of the known components that were dependent on the Telerik components are:

1. DNN Announcements
2. RadEditor Provider in HTML Editor
3. Events and FAQ modules
4. Banners module