Cryptographic Vulnerability

Hi Brian,

Yes, it is. A patch is not available for it due to technical feasibility.

I advise that you upgrade to R2 2017 SP1 if possible. If not, upgrading to Q1 2013 is the next best option. If this is not feasible for you, you can choose the nearest version - Q2 2011 or Q1 2011 SP1.

Regards,

Hello,

Can you help me find the patch for Telerik.Web.UI.dll 2011.1.315.35?

Thanks,

Brian

Thank Marin.

Upgraded to 2011.3.1115.40 with Security Patch applied.

BTW, IMHO, I think the wording "technical feasibility" is very vague the way it is being used.

You should instead have on the vulnerability page:

Affected Versions (complete list):

X

Y

Z

Vulernatibilty can be removed by applying a security patch .zip on top of the following versions:

A

B

C

Hi.

I cannot find the patch for Telerik.Web.UI.dll (2013.3.1114.40) that we are currently using.

How do we find it?

thanks,

Bruce

Found it:

https://www.telerik.com/account/product-download?product=RCAJAX

On this page, there is a dropdown with all the patches available listed.

Hi,

we are using DialogHandler.axd not .aspx for RadEditor. Does the vulnerability also exist in .axd or only in .aspx?

Thank you

Mark

One of our legacy applications uses Telerik.Web.UI version 2013.3.1114.45. I've located the security patch download for Version 2013.3.1114, however there is nothing contained in the Bin45 folder which is the version we require. The Bin35 and Bin40 folders both contain patched .dll files. Is the empty Bin45 folder an oversight or deliberate? Will this version be patched?

Many thanks

Our production version of Telerik.Web.UI.dll is 2011.2.915.40. We are not on active maintenance, but we do have existing licensing for the 2016 version.

The notice indicates that the vulnerability is in the ASP.Net AJAX package, but we use the ASP.NET MVC package.  Both packages contain the Telerik.Web.UI.dll library. Should we still upgrade/patch?

Thanks.

Our production version of Telerik.Web.UI.dll is 2011.2.915.40. We are not on active maintenance, but we do have existing licensing for the 2016 version.

The notice indicates that the vulnerability is in the ASP.Net AJAX package, but we use the ASP.NET MVC package.  Both packages contain the Telerik.Web.UI.dll library. Should we still upgrade/patch?

Thanks.

Hi Tim,

The UI for ASP.NET MVC suite does not contain or use Telerik.Web.UI.dll. In fact, the UI for ASP.NET AJAX controls are not supported in an MVC environment and, generally, both should not mix.

Nevertheless, if your application uses Telerik.Web.UI, you should apply the patch by following the KB: https://admin.telerik.com/www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness.

Regards,

Hi,

At the moment we don't have any Telerik.Web.UI.DialogParametersEncryptionKey and MachineKey entries in the web.config

Can you point me in the right direction about MachineKey and will it affect other applications/functionalities ? We have been using cryptography in the solution for other parts.

Rgds

Ole Oscar Johnsen

Hello Ole Oscar,

After applying the patch, you should set the three Telerik-specific keys (see here) and change the Machine Key.

Generally, changing the machine key has the same effect as changing anything in the web.config - it recycles the application pool and thus invalidates old sessions, webresource URLs and other generated URLs.

If you had not had it before, chances are that IIS was generating a new one for you on every application pool recycle. Of course, this depends on the overall system setup.

Regards,

You are indicating that I need three keys. Is it

<add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" />

<add key="Telerik.Upload.ConfigurationHashKey"/>

  <add key="Telerik.Web.UI.DialogParametersEncryptionKey"/>

Hi Martin,

What is the reason to change the machine key ? Just to avoid the case if the server has been compromised? 

Yes, changing the machine key is just a precaution.

--Marin

Hi Marin,

We have a legacy application that is using version: 2009.3.1208.35 Telerik.Web.UI

Is the vulnerability present in this version?

Thanks,

Rick

Hi Rick,

I can confirm that version 2009.3.1208.35 uses Telerik.Web.UI.DialogHandler for RadEditor File Browser dialogs. You need to either Prevent access to the Telerik Dialog Handler, upgrade to one of the patched versions or the latest one.

Hello,

We have both a V6 and a V3.7 site, both running on same server.

We have found and applied the appropriate patch for V6 and assume all is well.

We are struggling to get the V3.7 site sorted. We have (as far as we're aware) amended the web config to remove the Dialog Handler elements, but the test URL still seems to come back error-free (which it shouldn't)

Any help gratefully received.

m.

Hello Martin,

You need to prevent access to the handler for such old versions: http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness#prevent-access.

If the handler is still available, the most likely reason would be nested web.config files where one of them still has the handlers defined.

I've just added a sample redirect rule that you can also use as base for changing the page requested to a custom page instead of the dialog handler in case you cannot find where the handler is declared. Note that you should ensure the rule you use fits your application logic and does not break something else before going live.

Regards,

Hi,

Thanks for the reply. The "kb" link is exactly where I've been looking since this issue first came to rise. Because Sitefinity (from a code-pov) is still somewhat alien to me, I have zero idea of nested web.config files. If i look at a local copy of the sites files & folder (that I downloaded as a backup/archive) I can see various config files:

"web.config(pre3.7)", "web.config.orig", "web.config", "Extensionweb.config" and "before doc extensionCopy of web.config"

I assume that the first two are defunct backups, prior to changes being made, as would be the last one. I'm struggling to remember what "doc extension" would be, but it was from 8 years ago... I'm thinking something for handling documents.

Anyway, I am assuming that both "web.config" and "Extensionweb.config" are "live" and I have edited both as per the instructions in the KB document.

You say "I've just added a sample redirect rule that you can also use as base for changing the page requested to a custom page instead..." Where have you added this?

Regards,

m.

Hello Martin,

I added the example in the KB: http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness#prevent-access. I am pasting it here for your convenience as well:

Hi,

Thanks for the further reply. I now see what you mean about where you placed it.

I have tried what you suggested (assuming I've done it right) and still no joy. It's starting to get silly.

Step one: Locally, inside the "web.config" file I added an exact duplicate of your example code inside the "handlers" of "system.webServer". I then uploaded this to the "live" server, replacing the previous "web.config" file. In case I needed to restart the Sitefinity system, I did that thing where I made a minor, non-consequential change to the "web.config" file and saved the change... But I don't think the system restarted, as browsing pages continued as normal without a pause.

Step Two: On the "live" server I copied that new redirect code and pasted into the same location within "Extensionweb.config". Again, I did a minor, non-consequential change too and saved it. Then browsing the site's front-end there was an obvious pause as the browser was waiting on the server - presumably doing the system restart.

But, when applying "/Telerik.Web.UI.DialogHandler.aspx?checkHandler=true" onto the end of my domain's URL I was once again greeted with "HandlerCheckOK" as opposed to the "not allowed" web page I was expecting (and yes, I had pre-created a new Sitefinity page that used the same URL as your example).

So I'm somewhat bamboozled.

m.

I almost feel like I want to make 100% sure that the set of files I'm amending are actually the files for the live site I'm viewing.

Within the the server's "telerik" directory, there's various old test sites and such - that really ought to be cleaned out. But I'm assuming I'm editing the right one, as the directory for this specific site is called "ACS_3.7" where ACS is the company initials and 3.7 is where we upgraded from the original 3.6 install.

Surely if I was looking at the wrong site (within the directory) then making that change to "Extensionweb.config" wouldn't cause the brief front-end browser pause I saw. But I'd still like to double-check.

m.

Hi Martin,

I advise that you ask these questions in your Sitefinity ticket. It will reach the Sitefinity team who have better knowledge of the system and your situation and may be able to help you better. At this point, my belief is that the issue lies in the deployment scenario and the server, and I could hardly offer help on that here.

Regards,

"I advise that you ask these questions in your Sitefinity ticket."

Official ticketed support does not cover Sitefinity 3.x... It's just too old apparently. Official ticketed support suggested I come onto the forums for advice.

I just ran into this vulnerability and am trying to upgrade v.2013.1.403.  I've got the DLL updated and building, but as soon as I run the app, I get a whole bunch of Skin-related errors.  The fix for these errors is to set EnableEmbeddedSkins="false" all over the place, but I don't understand why this is necessary.  I am already referencing Telerik.Web.UI.Skins v.2013.1.403, but I wonder if that is now out of sync with the new DLL or something.  The Skins we were using were all built-in skins, so I don't know how/why it wouldn't be able to find them.

Any idea what the cause of these errors is, or if there is a better solution than a 1,000 different changes to EnableEmbeddedSkins everywhere?  Is there an updated Skins DLL that I should be using instead?

Thanks.

Hi Alex,

We are not aware of styling issues with the security patches. 

Can you please go to https://www.telerik.com/account/product-download?product=RCAJAX, choose from the Version dropdown 2013.1.403 and download the SecurityPatch_2013_1_403.zip archive? 

Once you get it, replace the old assembly with it.

If you still experience the reported problem, please open a support ticket or send me an email to rumen.zhekov @ progress.com.

Another temp fix is to set the Skin property to "Default" or just to not set it. The Default skin is part of the Telerik.Web.UI.dll and you should not get Skin related errors related to the  Telerik.Web.UI.Skins.dll assembly.

Regards,
Rumen
Progress Telerik

Hi Kenneth,

If you are the developer who works with the Telerik AJAX controls, please ask the license holder to add you as a licensed developer as shown at the third link at https://www.telerik.com/purchase/faq/licensing-purchasing. This will not only enable the downloads of the paid products under your personal Telerik.com account but also you will be able to open support tickets and receive faster responses from the tech support engineers.

If you are looking for an alternative to the patches, you can prevent access to the Telerik Dialog Handler.

This will not solve the vulnerability found at the end of 2019 which is explained in this KB article Allows JavaScriptSerializer Deserialization.

Because of it, we strongly recommend migration to the latest version 2020.1.219 where all known security issues are fixed. This version also features support for all modern browsers and their latest versions. It is stable and features new components as the very demanded by the community RadPdfViewer.

Best Regards,

Rumen
Progress Telerik

Hi Rumen,

Thanks for your prompt reply. Our CMS is developed by software house which is no contract with us anymore. I don't think I can ask someone to add me as licensed developer. Refer to the license page, it costs US$899 for Telerik UI for ASP.NET AJAX and it quite expensive. Any the other cheaper way to solve the problem?

For the vulnerability found at the end of 2019, it have risk if i only prevent access to the Telerik Dialog Handler? Any other way to solve it? 

Bests,

Kenneth (newbie)

Hi Kenneth,

Both issues apply to different components of the suite and the patch for the one vulnerability does not fix the other one which is covered by the latest version.

Please open a General Feedback ticket and share the details of the software house you worked with and any details you can provide for the license they have so that we can check out records. We will do the best to help you secure your app.

Thank you!

Looking forward to hearing from you soon,
Rumen
Progress Telerik

Hi Telerik admins,

I can't find the patch for the 2012.2.912 version (see attached file).

However, version 2012.2.724 does offer a patch.

Can you please send me this patch or help me to find it?

Thank you.

Hi Antony,

Version 2020.1.114 in which the security issue is fixed is an official release which you have to upgrade to by downloading the Telerik_UI_for_ASP.NET_AJAX_2020_1_114_Dev_hotfix.zip archive and manually upgrading your app with it:

On a side note, the patch for 2012.2.912 does not prevent CVE-2019-18935.

Best Regards,
Rumen
Progress Telerik