Unrestricted File Upload

AUTHOR: Marin Bratanov

DATE POSTED: August 22, 2017

PROBLEM

Security vulnerabilities CVE-2014-2217 and CVE-2017-11317: weak encryption has been used in old versions of Telerik.Web.UI to encrypt data used by RadAsyncUpload.

DESCRIPTION

An exploit can result in arbitrary file uploads and/or remote code execution.

SOLUTIONS

1. Introduction
2. Mitigation paths for all versions:  
   1. Instructions for versions between Q1 2011 (2011.1.315) and R3 2016 SP2 (2016.3.1027)
   2. Instructions for versions between R1 2017 (2017.1.118) and R2 2017 SP1 (2017.2.621)
   3. Instructions for versions between R2 2017 SP2 (2017.2.711) and R3 2019 (2019.3.917)
   4. Instructions for versions R3 2019 SP1 (2019.3.1023) and later
3. What is the patch
4. How to obtain and apply the patch
5. How to spot a patched version of Telerik.Web.UI.dll
6. Notes
7. External References
8. See Also

Introduction

Update from Jan 5, 2021: Due to the .NET JavaScriptSerializer Deserialization (CVE-2019-18935) vulnerability, we strongly recommend upgrading to R1 2020 (version 2020.1.114) or later since the patches provided for CVE-2014-2217 and CVE-2017-11317 do not prevent it.

Only the upgrade to R1 2020 (2020.1.114) or later can prevent the known vulnerabilities at the time of writing.

You can find more details and instructions at Allows JavaScriptSerializer Deserialization and Blue Mockingbird Vulnerability Picks up Steam—Telerik Guidance.

Also check the FAQ section at the end of the Security article.

Update from 8 Sep 2017: You should follow one of these options even if you are not using RadAsyncUpload in your application.

Update from 23 Oct 2019: Information on avoiding the issue through general web.config networking settings was removed because it is not sufficiently safe. General readability and information structure improvements were made as well.

To ensure your application is not exposed to risk, there are several mitigation paths that ensure different level of security. The recommended approach with the highest level of security is using the Latest version of the controls and following the recommendations of the RadAsyncUpload Security article. 

---

Versions between Q1 2011 (2011.1.315) and R3 2016 SP2 (2016.3.1027)

Required steps:

Step 1: Follow the RadAsyncUpload Security article and set all encryption keys.

Step 2: Depending on project requirements and active maintenance licenses, there are a few options to pursue:

Option 1: Upgrade to R2 2017 SP2 (2017.2.911) or later and follow the steps for the chosen version.

Option 2: Apply a patch and disable the built-in RadAsyncUpload handler.

 

Recommended steps for improved security: 

Important encryption improvements were implemented in R2 2017 SP2 (2017.2.711) that improve the security of the control and we strongly recommend using that version or a newer one.

Tip 1: Upgrade to R3 2019 SP1 or later because it contains custom metadata whitelisting feature.

Tip 2: Follow the RadAsyncUpload Security article and set all encryption keys.

---

Versions between R1 2017 (2017.1.118) and R2 2017 SP1 (2017.2.621)

The official versions between R1 2017 (2017.1.118) and R2 2017 SP1 (2017.2.621) have the Insecure Direct Object Reference vulnerability if the Custom Encryption keys are not set.

Required steps:

Option 1: Apply a patch and disable the built-in RadAsyncUpload handler.

Option 2: Upgrade to R2 2017 SP2 or later and follow the steps for the chosen version.

Recommendations for improved security : 

Tip 1: Upgrade to R3 2019 SP1 or later because it contains custom metadata whitelisting feature.

---

Versions between R2 2017 SP2 (2017.2.711) and R3 2019 (2019.3.917)

Required steps: 

Step 1: Follow the RadAsyncUpload Security article and set all encryption keys.

Recommendations for improved security:

Tip 1: Upgrade to R3 2019 SP1 or later because it contains custom metadata whitelisting feature.

---

Versions R3 2019 SP1 (2019.3.1023) and later

Required steps: 

Step 1: Follow the RadAsyncUpload Security article and set all encryption keys.

---

What is the Patch

This is a Telerik.Web.UI.dll assembly, available for most versions between Q1 2011 and R2 2017 SP1. It provides the following abilities for older versions that are available built-in for versions R2 2017 SP2 or later:

1. The temporary files in the TemporaryFolder are now saved with .tmp extension;
2. The built-in RadAsyncUpload handler can be disabled;

You can follow the instruction in How to Obtain and Apply the Patch section to get and apply the patch for your version.

Recommendations for improved security:

Tip 1: Upgrade to R3 2019 SP1 or later because it contains custom metadata whitelisting feature.

---

How to Obtain and Apply the Patch 

Before proceeding with the patching procedure, please review the following notes: 

Note 1: If you are targeting .NET 3.5, review the FIPS Compatibility article, because the encryption issue it describes also pertains to these patches.

Note 2: The patches are not available on the Telerik NuGet feed.

Note 3: If you downloaded the patch before the 15th of August 2017, download and apply it again, because the file was updated since its original creation.

Note 4: Due to technical feasibility, the following versions do not have patches for this issue and need to be upgraded and the steps for the new version to be followed:

• Q1 2011 SP2 (2011.1.519)
• Q2 2011 SP1 (2011.2.915)
• Q3 2011 SP1 (2011.3.1305)
• Q1 2012 SP1 (2012.1.411)
• Q2 2012 SP2 (2012.2.912)

 

Here are the steps for obtaining and applying the patch: