AUTHOR: Marin Bratanov
DATE POSTED: August 22, 2017
Security vulnerability: weak encryption has been used in old versions of Telerik.Web.UI to encrypt data used by RadAsyncUpload.
An exploit can result in arbitrary file uploads and/or remote code execution.
To ensure your application is not exposed to risk, there are several mitigation paths. You can find them below.
Update from 8 Sep 2017: You should follow one of these options even if you are not using RadAsyncUpload in your application. Also, we added examples of how to disable file uploads without using a patch.
Prevent POST requests to the handler used by RadAsyncUpload
Set encryption keys.
Use a patch for versions between Q1 2011 (2011.1.315) and R3 2016 SP2 (2016.3.1027) and disable file uploads through the Telerik handler.
If you are on active maintenance, upgrade to R1 2017 (2017.1.118) or later.
If you are on active maintenance, upgrade to R2 2017 SP2 (2017.2.711) or later.
NOTE: The patches are not available on the Telerik NuGet feed.
NOTE: If you are targeting .NET 3.5, review the FIPS Compatibility article, because the encryption issue it describes also pertains to these patches.
Versions starting from R2 2017 SP2 and the provided patches allow you to set an appSettings key to disable file uploads. If you cannot upgrade or apply a patch, an alternative is to disable the POST requests that upload the file to the built-in Telerik handler from your web.config. Here are two suggestions on how to achieve this:
Follow the RadAsyncUpload Security help article.
Depending on the version you are using, you have the following options:
Modifying the web.config to include the necessary key(s) will take effect immediately without you needing to rebuild your application. Note that IIS may recycle the application pool when the web.config file is changed.
Download a patched version from your Telerik.com account after the 15th of August 2017. If you downloaded it earlier, download it again, because the file was updated since its original creation. Here is how to get the patch:
IMPORTANT: This will disable file uploads through the built-in Telerik handler. This means that you will not be able to use RadAsyncUpload unless you create a custom handler with the desired level of security. If you do that, see the UploadedFiles.SaveAs Throws FileNotFound Error with Custom Handler KB article.
NOTE: Due to technical feasibility, the following versions do not have patches for this issue:
The patched version shows "Telerik.Web.UI.Patch" in the File Description under Properties in Windows Explorer:
How to spot a patched version of Telerik.Web.UI.dll:
Source code for building a patched version and protecting the Telerik.Web.UI assembly is available as well. If you downloaded it before the 15th of August 2017, you can download it again, because the file was updated.
The R1 2017 release introduces improved encryption and validation as described in the RadAsyncUpload Security article. To use it:
Follow the same steps as if upgrading to R1 2017 (2017.1.118) or later.
R2 2017 SP2 (2017.2.711) is the first official release that introduces:
Thus, an added security measure can be disabling all file uploads through the Telerik handler.
We would like to thank Paul Taylor / Foregenix Ltd for assisting with making the information public.