This is a migrated thread and some comments may be shown as answers.
Telerik.Web.UI.WebResource.axd strange errors/web.config entries appeared
7 Answers 50 Views
This is a migrated thread and some comments may be shown as answers.
Jon
Top achievements
Rank 2
Jon asked on 06 Oct 2020, 09:38 AM

Had a few sites on the same server that suddenly stopped working and started having issues

looking into the issues found the following weird entry appear in the root web.config:

 

<location path="Telerik.Web.UI.WebResource.axd">
    <system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

Also found the following folders had been created:

"ScriptResource.axd" - Blank web.config

"Telerik.Web.UI.WebResource.axd" - contains a web.config as follows:

<configaration>
<location path="Telerik.Web.UI.WebResource.axd">
<system.webServer>
<httpRedirect enabled="true" destination="ROOT" httpResponseStatus="Permanent" />
</system.webServer>
</location>
</configaration>

"WebResource.axd" - Blank web.config

Anyone else ever seen this?

Is it a hack?

Thanks

 

7 Answers, 1 is accepted

Sort by
0
Peter Milchev
Telerik team
answered on 08 Oct 2020, 11:57 AM

Hello Jon,

If you are using a version prior to R1 2020, then this is a probable hack attack leveraging this vulnerability:

If you have R1 2020 or later and all the encryption keys set to a strong value, then it is less likely to be an attack via the Telerik controls. 

The first entry is you have shared seems the one we suggest for loading properly the resources:

The rest of the snippets and folders might be a result of an attack.

We recommend upgrading all public sites you maintain to at least R1 2020 version and setting the encryption keys with strong values generated similarly to the way demonstrated here:

Regards,
Peter Milchev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

0
Jon
Top achievements
Rank 2
answered on 08 Oct 2020, 12:21 PM

Been using these tools for years 'encryption keys' is the first I have EVER heard that they had to be set also....

So is it now the case that EVERY site I have running telerik now SHOULD/MUST have encryption keys set?

 

0
Peter Milchev
Telerik team
answered on 08 Oct 2020, 12:40 PM

Hello Jon,

The Encryption key is available since 2012, while the ConfigurationHashKey is available as of R1 2017.

Also, we have sent numerous mass emails recommending setting all of these keys for better security. A site would be able to work even without them but it is nearly mandatory for better security.

Another highly recommended, almost mandatory, is upgrading to at least R1 2020 for maximum security against the Blue Mockingbird vulnerability:

Regards,
Peter Milchev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

0
Jon
Top achievements
Rank 2
answered on 08 Oct 2020, 12:44 PM

hmmm

I would have remembered seeing those emails...

The site in question didn't/doesn't use any upload

so I basically have to set both Encryption & ConfigurationHashKey 

just uploading Telerik dll to the bin folder from the latest release is all that's needed and these keys set?

How do I know if setting the keys has worked? will the site simply not load of it doesn't?

0
Rumen
Telerik team
answered on 12 Oct 2020, 01:14 PM

Hi Jon,

The only mandatory step is to upgrade to Telerik.Web.UI.dll version 2020.1.114 (R1 2020) or later.

If the ConfigurationEncryptionKey and ConfigurationHashKey keys are not set in the web.config, the control will use the machine key to encrypt (protect) its configuration settings.

There is no way to find out whether the configuration data is encrypted via the machinekey or custom keys since this is going to be a security breach. Both options are secure. The custom keys just give you the ability to use different keys in the different apps you have instead of using one single machine key for all of them. This is a kind of diversification.

Best Regards,
Rumen
Progress Telerik

Five days of Blazor, Angular, React, and Xamarin experts live-coding on twitch.tv/CodeItLive, special prizes, and more, for FREE?! Register now for DevReach 2.0(20).

0
Jon
Top achievements
Rank 2
answered on 12 Oct 2020, 01:36 PM
ok great so just updating the DLLS is good enough for now
0
Rumen
Telerik team
answered on 12 Oct 2020, 02:39 PM

Yes, exactly! This upgrade is the most important step.

Best regards,
Rumen

Asked by
Jon
Top achievements
Rank 2
Answers by
Peter Milchev
Telerik team
Jon
Top achievements
Rank 2
Rumen
Telerik team
Share this question
or