I have did app scan on a ASP.Net Application developed with Telerik Controls,
I received following vulnerabilities related to telerik Controls
1. Catchable SSL Page Found
2. Client Side (Javascript) Cookie References
3.Query parameter in SSL Request
As per our Security feedback , these issues should be rectified, I had already explained that these are just assemblies which doesnt do any database operation and can be treated as false positive. But they suggested to refer Australian Cyber Security Centre report on Advisory: Vulnerable versions of Telerik
UI being actively exploited by APT actor.
Please support in order to resolve the issue.
5 Answers, 1 is accepted
Hi Sanju,
You are absolutely correct that the three findings of the IBM scanner are false positive.
The vulnliability which is reported by the Australian Cyber Security Centre is explained in this article: https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization and since your app is running the latest version 2020.2.512 it is protected from all known vulnerabilities in the Telerik controls.
The only thing I suggest you perform is to apply the recommended security settings in the web.config file - https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security#recommended-settings. You can see how to generate the keys via IIS on https://www.youtube.com/watch?v=J18zDKtiBFE.
Please let me know if you have any other questions.
Regards,
Rumen
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Rank 1
Dear Rumen,
I am using version 2017.3.913.40 How can i update the telerik on my server.
I am not using any async file upload control, even then i should do this setting on web.config?
Regards
Sanju
Hi Sanju,
if the asyncupload is not used in your app, you just need to disable its handler by setting in the web.config:
<appSettings>
<add key="Telerik.Web.DisableAsyncUploadHandler" value="true"/>
</appSettings>You can see more on DisableAsyncUploadHandler.
Recommendation - even when disabling file uploads, we recommend setting the main custom encryption keys, especially for versions prior to R3 2019 SP1.
Regards,
Rumen
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Rank 1
Thanks rumen
please let me know how to update telerik to latest version.
I don't have open internet on server so please let us know which url is being called for updating the telerik, so that i can whitelist.
Regards
sanju
Hi Sanju,
The upgrade procedure is explained in detail in this article - Upgrade to a Newer Version of TelerikĀ® UI for ASP.NET AJAX.
Please ask the license holder in your company to add you as a licensed developer as explained in point 3 on https://www.telerik.com/purchase/faq/devcraft since this will give you access to the paid product under your account on https://www.telerik.com/account/product-download?product=RCAJAX.
Regards,
Rumen
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.