Had a few sites on the same server that suddenly stopped working and started having issues
looking into the issues found the following weird entry appear in the root web.config:
<location path="Telerik.Web.UI.WebResource.axd">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Also found the following folders had been created:
"ScriptResource.axd" - Blank web.config
"Telerik.Web.UI.WebResource.axd" - contains a web.config as follows:
<configaration>
<location path="Telerik.Web.UI.WebResource.axd">
<system.webServer>
<httpRedirect enabled="true" destination="ROOT" httpResponseStatus="Permanent" />
</system.webServer>
</location>
</configaration>
"WebResource.axd" - Blank web.config
Anyone else ever seen this?
Is it a hack?
Thanks
7 Answers, 1 is accepted
Hello Jon,
If you are using a version prior to R1 2020, then this is a probable hack attack leveraging this vulnerability:
If you have R1 2020 or later and all the encryption keys set to a strong value, then it is less likely to be an attack via the Telerik controls.
The first entry is you have shared seems the one we suggest for loading properly the resources:
The rest of the snippets and folders might be a result of an attack.
We recommend upgrading all public sites you maintain to at least R1 2020 version and setting the encryption keys with strong values generated similarly to the way demonstrated here:
- https://www.youtube.com/watch?v=J18zDKtiBFE
- https://docs.telerik.com/devtools/aspnet-ajax/general-information/web-config-settings-overview
Regards,
Peter Milchev
Progress Telerik
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.
Rank 2
Been using these tools for years 'encryption keys' is the first I have EVER heard that they had to be set also....
So is it now the case that EVERY site I have running telerik now SHOULD/MUST have encryption keys set?
Hello Jon,
The Encryption key is available since 2012, while the ConfigurationHashKey is available as of R1 2017.
Also, we have sent numerous mass emails recommending setting all of these keys for better security. A site would be able to work even without them but it is nearly mandatory for better security.
Another highly recommended, almost mandatory, is upgrading to at least R1 2020 for maximum security against the Blue Mockingbird vulnerability:
Regards,
Peter Milchev
Progress Telerik
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.
Rank 2
hmmm
I would have remembered seeing those emails...
The site in question didn't/doesn't use any upload
so I basically have to set both Encryption & ConfigurationHashKey
just uploading Telerik dll to the bin folder from the latest release is all that's needed and these keys set?
How do I know if setting the keys has worked? will the site simply not load of it doesn't?
Hi Jon,
The only mandatory step is to upgrade to Telerik.Web.UI.dll version 2020.1.114 (R1 2020) or later.
If the ConfigurationEncryptionKey and ConfigurationHashKey keys are not set in the web.config, the control will use the machine key to encrypt (protect) its configuration settings.
There is no way to find out whether the configuration data is encrypted via the machinekey or custom keys since this is going to be a security breach. Both options are secure. The custom keys just give you the ability to use different keys in the different apps you have instead of using one single machine key for all of them. This is a kind of diversification.
Best
Regards,
Rumen
Progress Telerik
Five days of Blazor, Angular, React, and Xamarin experts live-coding on twitch.tv/CodeItLive, special prizes, and more, for FREE?! Register now for DevReach 2.0(20).
Rank 2