Unrestricted File Upload

RELATED TO:

AUTHOR: Marin Bratanov

DATE POSTED: August 22, 2017

PROBLEM

Security vulnerability: weak encryption has been used in old versions of Telerik.Web.UI to encrypt data used by RadAsyncUpload.

DESCRIPTION

An exploit can result in arbitrary file uploads and/or remote code execution.

SOLUTIONS

Below is a Table of Contents that will help you to follow the correct instructions for your version.
  1. Introduction
  2. Mitigation paths for all versions:  
    1. Instructions for versions between Q1 2011 (2011.1.315) and R3 2016 SP2 (2016.3.1027)
    2. Instructions for versions between R1 2017 (2017.1.118) and R2 2017 SP1 (2017.2.621)
    3. Instructions for versions between R2 2017 SP2 (2017.2.711) and R3 2019 (2019.3.917)
    4. Instructions for versions R3 2019 SP1 (2019.3.1023) and later
  3. What is the patch
  4. How to obtain and apply the patch
  5. How to spot a patched version of Telerik.Web.UI.dll
  6. Notes
  7. External References
  8. See Also

Introduction

Update from 8 Sep 2017: You should follow one of these options even if you are not using RadAsyncUpload in your application.

Update from 23 Oct 2019: Information on avoiding the issue through general web.config networking settings was removed because it is not sufficiently safe. General readability and information structure improvements were made as well.

To ensure your application is not exposed to risk, there are several mitigation paths that ensure different level of security. The recommended approach with the highest level of security is using the Latest version of the controls and following the recommendations of the RadAsyncUpload Security article

Versions between Q1 2011 (2011.1.315) and R3 2016 SP2 (2016.3.1027)

NOTE: Due to technical feasibility, the following versions do not have patches for this issue and need to be upgraded and the steps for the new version to be followed:
  • Q1 2011 SP2 (2011.1.519)
  • Q2 2011 SP1 (2011.2.915)
  • Q3 2011 SP1 (2011.3.1305)
  • Q1 2012 SP1 (2012.1.411)
  • Q2 2012 SP2 (2012.2.912)

Required steps:

Step 1: Follow the RadAsyncUpload Security article and set all encryption keys.

Step 2: Depending on project requirements and active maintenance licenses, there are a few options to pursue:

Option 1: Upgrade to R2 2017 SP2 (2017.2.911) or later and follow the steps for the chosen version.

Option 2: Apply a patch and disable the built-in RadAsyncUpload handler.

 

Recommended steps for improved security: 

Important encryption improvements were implemented in R2 2017 SP2 (2017.2.711) that improve the security of the control and we strongly recommend using that version or a newer one.

Tip 1: Upgrade to R3 2019 SP1 or later because it contains custom metadata whitelisting feature.

Tip 2: Follow the RadAsyncUpload Security article and set all encryption keys.

Versions between R1 2017 (2017.1.118) and R2 2017 SP1 (2017.2.621)

The official versions between R1 2017 (2017.1.118) and R2 2017 SP1 (2017.2.621) have the Insecure Direct Object Reference vulnerability if the Custom Encryption keys are not set.

Required steps:

Option 1: Apply a patch and disable the built-in RadAsyncUpload handler.

Option 2: Upgrade to R2 2017 SP2 or later and follow the steps for the chosen version.

Recommendations for improved security : 

Tip 1: Upgrade to R3 2019 SP1 or later because it contains custom metadata whitelisting feature.

Versions between R2 2017 SP2 (2017.2.711) and R3 2019 (2019.3.917)

Required steps: 

Step 1: Follow the RadAsyncUpload Security article and set all encryption keys.

Recommendations for improved security:

Tip 1: Upgrade to R3 2019 SP1 or later because it contains custom metadata whitelisting feature.

Versions R3 2019 SP1 (2019.3.1023) and later

Required steps: 

Step 1: Follow the RadAsyncUpload Security article and set all encryption keys.

What is the Patch

This is a Telerik.Web.UI.dll assembly, available for most versions between Q1 2011 and R2 2017 SP1. It provides the following abilities for older versions that are available built-in for versions R2 2017 SP2 or later:

  1. The temporary files in the TemporaryFolder are now saved with .tmp extension;
  2. The built-in RadAsyncUpload handler can be disabled;

You can follow the instruction in How to Obtain and Apply the Patch section to get and apply the patch for your version.

Recommendations for improved security:

Tip 1: Upgrade to R3 2019 SP1 or later because it contains custom metadata whitelisting feature.

Tip 2: Upgrade at least to R2 2017 SP2 because it contains significant security enhancements that fully fix the relevant security issues

How to Obtain and Apply the Patch 

Before proceeding with the patching procedure, please review the following notes: 

Note 1: If you are targeting .NET 3.5, review the FIPS Compatibility article, because the encryption issue it describes also pertains to these patches.

Note 2: The patches are not available on the Telerik NuGet feed.

Note 3: If you downloaded the patch before the 15th of August 2017, download and apply it again, because the file was updated since its original creation.

Note 4: Due to technical feasibility, the following versions do not have patches for this issue and need to be upgraded and the steps for the new version to be followed:

  • Q1 2011 SP2 (2011.1.519)
  • Q2 2011 SP1 (2011.2.915)
  • Q3 2011 SP1 (2011.3.1305)
  • Q1 2012 SP1 (2012.1.411)
  • Q2 2012 SP2 (2012.2.912)

 

Here are the steps for obtaining and applying the patch:

Step 1: Go to your telerik.com account.

Step 2: From the Version dropdown, select your release:

How to select your Telerik.Web.UI version

Step 3: Download the SecurityPatch_<your_version>.zip file (e.g. SecurityPatch_2017.2.621.zip);

Step 4: Replace the Telerik.Web.UI assembly in your application with the one of the same version that you just downloaded

Step 5: Disable the handler as explained in the RadAsyncUpload Security article.

Step 6 (Added on 23 Oct 2019): Follow the RadAsyncUpload Security article and set all encryption keys.

Step 7: Verify the patch is applied

Once the built-in handler of RadAsyncUpload is disabled, the control cannot be used unless a Custom Handler with the desired level of security is defined.

The custom metadata configuration whitelisting functionality further improves security. It is available as of R3 2019 SP1.

Source code for building a patched version and protecting the Telerik.Web.UI assembly is available as well.

How to Spot a Patched Version of Telerik.Web.UI.dll

The patched version shows "Telerik.Web.UI.Patch" in the File Description under Properties in Windows Explorer:

How a patched version looks like

 

NOTES

We would like to thank Paul Taylor / Foregenix Ltd and Markus Wulftange of Code White GmbH for assisting with making the information public.

EXTERNAL REFERENCES

  • CVE-2014-2217
  • CVE-2017-11317

SEE ALSO

More Resources

  • Forums

    Find answers to thousands of questions or reach out to our active community.

  • Demos

    Browse 1,200+ demos with source code covering basic and advanced scenarios.

  • Sample Applications

    Learn how to integrate the controls in real-world examples.

  • Feedback Portal

    Vote and follow the features you want to see added to Telerik UI for ASP.NET AJAX.

  • User Voice

    Get answers directly from the people who build the product.

  • Documentation

    Benefit from detailed help articles and API references for all controls.

  • Knowledge Base

    Learn how to achieve common scenarios from a multitude of tutorials and working examples.

  • Code Library

    Browse sample projects submitted by Telerik staff and community members.

  • Blog

    Stay up-to-date with the latest functionality, how-to articles and industry trends.

  • Release History

    Up-to-date release notes for all new features and improvements.