This is a migrated thread and some comments may be shown as answers.

WebResource.axd getting Vulnerabilities on IBM App Scan test

5 Answers 1632 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Sanju
Top achievements
Rank 1
Sanju asked on 31 May 2020, 09:12 PM

I have did app scan on a ASP.Net Application developed with Telerik Controls,

 I received following vulnerabilities related to telerik Controls 

 

1. Catchable SSL Page Found

2. Client Side (Javascript) Cookie References 

3.Query parameter in SSL Request

 

As per our Security feedback , these issues should be rectified, I had already explained that these are just assemblies which doesnt do any database operation and can be treated as false positive. But they suggested to refer Australian Cyber Security Centre report on Advisory: Vulnerable versions of Telerik
UI being actively exploited by APT actor.

 

Please support in order to resolve the issue. 

5 Answers, 1 is accepted

Sort by
0
Rumen
Telerik team
answered on 01 Jun 2020, 05:32 PM

Hi Sanju,

You are absolutely correct that the three findings of the IBM scanner are false positive.

The vulnliability which is reported by the Australian Cyber Security Centre is explained in this article: https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization and since your app is running the latest version 2020.2.512 it is protected from all known vulnerabilities in the Telerik controls.

The only thing I suggest you perform is to apply the recommended security settings in the web.config file - https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security#recommended-settings. You can see how to generate the keys via IIS on https://www.youtube.com/watch?v=J18zDKtiBFE

Please let me know if you have any other questions.

Regards,
Rumen
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
0
Sanju
Top achievements
Rank 1
answered on 01 Jun 2020, 09:32 PM

Dear Rumen, 

I am using version 2017.3.913.40 How can i update the telerik on my server.

I am not using any async file upload control, even then i should do this setting on web.config?

 

Regards

Sanju

0
Rumen
Telerik team
answered on 02 Jun 2020, 07:40 AM

Hi Sanju,

if the asyncupload is not used in your app, you just need to disable its handler by setting in the web.config:

<appSettings>
    <add key="Telerik.Web.DisableAsyncUploadHandler" value="true"/>
</appSettings>

You can see more on DisableAsyncUploadHandler.

Recommendation - even when disabling file uploads, we recommend setting the main custom encryption keys, especially for versions prior to R3 2019 SP1.

Regards,
Rumen
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
0
Sanju
Top achievements
Rank 1
answered on 02 Jun 2020, 12:24 PM

Thanks rumen 

 

please let me know how to update telerik to latest version. 

I don't have open internet on server so please let us know which url is being called for updating the telerik, so that i can whitelist. 

Regards

sanju

0
Rumen
Telerik team
answered on 03 Jun 2020, 02:12 PM

Hi Sanju,

The upgrade procedure is explained in detail in this article - Upgrade to a Newer Version of TelerikĀ® UI for ASP.NET AJAX.

Please ask the license holder in your company to add you as a licensed developer as explained in point 3 on https://www.telerik.com/purchase/faq/devcraft since this will give you access to the paid product under your account on https://www.telerik.com/account/product-download?product=RCAJAX.

Regards,
Rumen
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
Tags
General Discussions
Asked by
Sanju
Top achievements
Rank 1
Answers by
Rumen
Telerik team
Sanju
Top achievements
Rank 1
Share this question
or