I am using 2015.3.1111.40.
I just find out that my server is attacked with CVE-2019-18935. There are many applications that are running the v 2015. I used both the old upload and the async upload, the editors etc.
I read this:
https://www.telerik.com/forums/security-vulnerabilities-cve-2017-11357-cve-2017-11317-cve-2014-2217-safe-if-we-don't-use-radasyncupload-control
https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/insecure-direct-object-reference
https://redcanary.com/blog/blue-mockingbird-cryptominer/
https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?&_ga=2.2268086.741100053.1589553385-928490997.1573185609#recommended-settings
Is this CVE-2019-18935 the same vulnerability ?I want to fix it and will like to know
1. I need to download the patch from my account. Just replace the Telerik.web.UI.dll ?
2. Do I need to add those keys as mentioned in the last link?
<add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR-FIRST-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
<add key="Telerik.Upload.ConfigurationHashKey" value="YOUR-SECOND-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
<add key="Telerik.Upload.AllowedCustomMetaDataTypes" value="Telerik.Web.UI.AsyncUploadConfiguration" />
3. As there are quite many web sites. Is there a way to globally apply the keys? eg. in the IIS root folder? Actually the server can be only accessed by me.
Thanks.
Alfred
10 Answers, 1 is accepted
Hi Alfred,
We are not familiar with this cryptocurrency virus, how it works and whether it can use the CVE-2019-18935 vulnerability to gain control over the server, but we can tell you how you can prevent the CVE-2019-18935 vulnerability.
Please follow the instructions in this KB article:
Allows JavaScriptSerializer Deserialization.
You must update the Telerik.Web.UI.dll version to the latest one 2020.2.512 (R2 2020) and also set the recommended security settings in the web.config:
<appSettings>
<add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR-FIRST-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
<add key="Telerik.Upload.ConfigurationHashKey" value="YOUR-SECOND-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
<add key="Telerik.Upload.AllowedCustomMetaDataTypes" value="Telerik.Web.UI.AsyncUploadConfiguration" />
</appSettings>
The following video shows how to generate the keys and apply the settings: https://www.youtube.com/watch?v=J18zDKtiBFE.
Yes, you can use the configSource attribute to point to a shared config file where you can define the security settings and keys and thus share them from a central location via all web.config files of the multiple apps:
<appSettings configSource=”c:\commonSettings.config”>
<add key="myAppSpecificSetting" value="Setting1" />
</appSettings>
You can find more information at
How to Share App.config?
SectionInformation.ConfigSource Property
ASP.NET web.config: configSource vs. file attributes
The patches we provided for the earlier vulnerabilities in the RadAsyncUpload may not prevent CVE-2019-18935 since they do not offer the type whitelisting feature of RadAsyncUpload introduced in R3 2019 SP1 (2019.3.1023). That's why it is highly recommended to upgrade to at least R3 2019 SP1 (2019.3.1023) or later and set the recommended security settings.
You can find upgrade instruction here and if you experience any troubles please open support tickets and we will assist you in resolving them.
Regards,
Rumen
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Rank 1
Hi Rumen,
Thanks.
Upgrade to current version is not probable, in a short term view. There are just too many.
So the Telerik.Web.Ui.dll security patch does not fix this situation?
Regards
Alfred
Hi Alfred,
The patch may prevent the first prerequisite for the issue (discussed in the article) - an attacker can break the RadAsyncUpload encryption (or have prior knowledge of your custom encryption keys) and stage a malicious request.
If the attacker is, however, somebody internal for your company with access to your local area network, to the app or its web.config, the security may be compromised.
That's why to be on the safe side, we strongly recommend an upgrade to a version that offers the type whitelisting feature.
The latest version we released last week R2 2020 (2020.2.512) is the most secure so far and my personal advice is to allocate time to upgrade to it. It may cost precious time, but it is worth it since your apps will gain support for the latest browsers, security, stability and functionality improvements, and many new components. You can find upgrade instructions here.
Regards,
Rumen
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Rank 1
Hi Rumen
Sorry for a late response.
I read this:
https://www.telerik.com/forums/security-vulnerabilities-cve-2017-11357-cve-2017-11317-cve-2014-2217-safe-if-we-don't-use-radasyncupload-control/page/2
So I will just do not use the async upload.
I just want to make sure I am correct.
1. Download the path and replace the dll
2. Add this to web.config:
<appSettings>
<add key="Telerik.Web.DisableAsyncUploadHandler" value="true"/>
</appSettings>
I do NOT need to generate the keys.
Regards
Alfred
Rank 1
Also, how can I block this in the web config?
telerik.web.ui.webresource.axd type=rau
Hi Alfred,
Please allow me to summarize the information so far:
- The patches are not good prevention of the latest known vulnerability - .NET JavaScriptSerializer Deserialization (CVE-2019-18935) and there isn't a reliable way to provide patches for it for the old versions of the Telerik AJAX suite.
- There is a risk if you do not upgrade to R1 2020 (2020.1.114) or later even if you apply a patch and disable the handler via the DisableAsyncUploadHandler web.config attribute.
- The official Progress/Telerik recommendation is that everyone upgrade at least to R1 2020 which is now available as a complimentary license for all active/inactive customers. Please check out this blog post and the comments section below it: https://www.telerik.com/blogs/blue-mockingbird-vulnerability-telerik-guidance.
- For blocking the handler in the web.config you can use the property after upgrading to R1 2020:
<appSettings> <add key="Telerik.Web.DisableAsyncUploadHandler" value="true"/> </appSettings>
All other means as the ones shown below are error-prone and may not handle all possible ways to invoke the handler that's why we do not recommend them:
Use a URL redirect rule similar to the one below. You can modify it to return errors or other content. This example redirects to a page. Note that this will also prevent file uploads via RadCloudUpload.
<rewrite> <rules> <rule name="DisableAsyncUpload" enabled="true" stopProcessing="true"> <match url="^Telerik.Web.UI.WebResource.axd" /> <conditions> <add input="{QUERY_STRING}" pattern="type=rau" /> </conditions> <action type="Redirect" url="not-allowed.aspx" redirectType="Permanent" /> </rule> </rules></rewrite>Change the Telerik.Web.UI.WebResource handler registration so IIS does not allow POST requests to it. Added ways to disable file uploads without a patch. Note that this will also prevent file uploads via RadCloudUpload and can disrupt some functionality in RadImageEditor.
<system.web> <httpHandlers> <add path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="GET" validate="false" /> </httpHandlers></system.web><system.webServer> <handlers> <remove name="Telerik_Web_UI_WebResource_axd" /> <add name="Telerik_Web_UI_WebResource_axd" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="GET" preCondition="integratedMode" /> </handlers></system.webServer>Best
Regards,
Rumen
Progress Telerik
Rank 1
Hi Rumen,
Thanks for your support.
I finally decide to upgrade to latest version 2020. I raised a ticket and Progress support team has helped me to purchase the renewal subscription.
However, I will use your reply as a fast short term solution.
Regards
Alfred
Rank 1
Hi Rumen
I had already upgraded my systems to use R2020. But I want to ensure my systems are secured.
Referring to:
https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security
1. I still need to config the "ConfigurationEncryptionKey" and "ConfigurationHashKey"?
2. For some system, users are allowed to upload office documents (doc, docx, xls, xlsx, pdf) as well as some MP4 files. May I have examples in the Whitelist custom metadata types in the web.config files?
And, if I do nothing except upgrading the R2020, are there security issues?
Regards
Alfred
Hi Alfred,
I hope you are doing well!
Straight to the questions:
- If the "ConfigurationEncryptionKey" and "ConfigurationHashKey" are not set, the R2 2020 version will use the machine.config key to encrypt its configuration. While we still recommend setting the security settings and their keys values, because of its uniqueness, the hackers will not be able to break the encryption of R2 2020 even when the machine key is used.
- The type whitelisting feature of RadAsyncUpload is not related to the type of the uploaded files. You can specify the allowed file extensions via the AllowedFileExtensions property (live demo) as well as find out how to control the uploaded files in this article - How to Manipulate the Uploaded Files.
- And, if I do nothing except upgrading the R2020, are there security issues? - There aren't any known security issues in R2 2020 and R2 2020 SP1.
Best Regards,
Rumen
Progress Telerik
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.