AUTHOR: Marin Bratanov
DATE POSTED: August 22, 2017
Security vulnerabilities CVE-2014-2217 and CVE-2017-11317: weak encryption has been used in old versions of Telerik.Web.UI to encrypt data used by RadAsyncUpload.
An exploit can result in arbitrary file uploads and/or remote code execution.
Update from Jan 5, 2021: Due to the .NET JavaScriptSerializer Deserialization (CVE-2019-18935) vulnerability, we strongly recommend upgrading to R1 2020 (version 2020.1.114) or later since the patches provided for CVE-2014-2217 and CVE-2017-11317 do not prevent it. Only the upgrade to R1 2020 (2020.1.114) or later can prevent the known vulnerabilities at the time of writing. You can find more details and instructions at Allows JavaScriptSerializer Deserialization and Blue Mockingbird Vulnerability Picks up Steam—Telerik Guidance. Also check the FAQ section at the end of the Security article.
Update from 8 Sep 2017: You should follow one of these options even if you are not using RadAsyncUpload in your application.
Update from 23 Oct 2019: Information on avoiding the issue through general web.config networking settings was removed because it is not sufficiently safe. General readability and information structure improvements were made as well.
To ensure your application is not exposed to risk, there are several mitigation paths that ensure different level of security. The recommended approach with the highest level of security is using the Latest version of the controls and following the recommendations of the RadAsyncUpload Security article.
Required steps:
Step 1: Follow the RadAsyncUpload Security article and set all encryption keys.
Step 2: Depending on project requirements and active maintenance licenses, there are a few options to pursue:
Option 1: Upgrade to R2 2017 SP2 (2017.2.911) or later and follow the steps for the chosen version.
Option 2: Apply a patch and disable the built-in RadAsyncUpload handler.
Recommended steps for improved security:
Important encryption improvements were implemented in R2 2017 SP2 (2017.2.711) that improve the security of the control and we strongly recommend using that version or a newer one.
Tip 1: Upgrade to R3 2019 SP1 or later because it contains custom metadata whitelisting feature.
Tip 2: Follow the RadAsyncUpload Security article and set all encryption keys.
The official versions between R1 2017 (2017.1.118) and R2 2017 SP1 (2017.2.621) have the Insecure Direct Object Reference vulnerability if the Custom Encryption keys are not set.
Option 1: Apply a patch and disable the built-in RadAsyncUpload handler.
Option 2: Upgrade to R2 2017 SP2 or later and follow the steps for the chosen version.
Recommendations for improved security :
Recommendations for improved security:
This is a Telerik.Web.UI.dll assembly, available for most versions between Q1 2011 and R2 2017 SP1. It provides the following abilities for older versions that are available built-in for versions R2 2017 SP2 or later:
You can follow the instruction in How to Obtain and Apply the Patch section to get and apply the patch for your version.
Before proceeding with the patching procedure, please review the following notes:
Note 1: If you are targeting .NET 3.5, review the FIPS Compatibility article, because the encryption issue it describes also pertains to these patches.
Note 2: The patches are not available on the Telerik NuGet feed.
Note 3: If you downloaded the patch before the 15th of August 2017, download and apply it again, because the file was updated since its original creation.
Note 4: Due to technical feasibility, the following versions do not have patches for this issue and need to be upgraded and the steps for the new version to be followed:
Step 1: Go to your telerik.com account.
Step 2: From the Version dropdown, select your release:
Step 3: Download the SecurityPatch_<your_version>.zip file (e.g. SecurityPatch_2017.2.621.zip);
Step 4: Replace the Telerik.Web.UI assembly in your application with the one of the same version that you just downloaded
Step 5: Disable the handler as explained in the RadAsyncUpload Security article.
Step 6 (Added on 23 Oct 2019): Follow the RadAsyncUpload Security article and set all encryption keys.
Step 7: Verify the patch is applied
Once the built-in handler of RadAsyncUpload is disabled, the control cannot be used unless a Custom Handler with the desired level of security is defined.
The custom metadata configuration whitelisting functionality further improves security. It is available as of R3 2019 SP1.
Source code for building a patched version and protecting the Telerik.Web.UI assembly is available as well.
The patched version shows "Telerik.Web.UI.Patch" in the File Description under Properties in Windows Explorer:
NOTES
We would like to thank Paul Taylor / Foregenix Ltd and Markus Wulftange of Code White GmbH for assisting with making the information public.
EXTERNAL REFERENCES
SEE ALSO
Resources Buy Try