Aperçu
Telerik UI for ASP.NET AJAX and Sitefinity contain a cryptographic protection bypass vulnerability caused by improper protection of DialogParametersEncryptionKey or MachineKey. This vulnerability allows remote attackers to defeat cryptographic mechanisms, potentially leading to MachineKey disclosure, arbitrary file operations, cross-site scripting (XSS), and ViewState compromise. (NVD) La vulnérabilité a été divulguée le July 3, 2017. CISA a identifié CVE-2017-9248 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The vulnerability stems from improper protection and encryption of sensitive cryptographic keys used in Telerik UI for ASP.NET AJAX and Sitefinity. The DialogParametersEncryptionKey and/or MachineKey are not adequately protected or encrypted, allowing attackers to extract or derive these keys. Once obtained, these keys can be leveraged to bypass cryptographic mechanisms that protect various components of the application. (NVD, Progress Software Security Advisory)
La vulnérabilité est classifiée comme CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) , CWE-330 (Use of Insufficiently Random Values) , CWE-326 (Inadequate Encryption Strength) , CWE-311 (Missing Encryption of Sensitive Data) etCWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation of this vulnerability can lead to multiple critical impacts: (1) MachineKey disclosure/derivation, which can compromise all cryptographic protections in the ASP.NET application; (2) Arbitrary file uploads, allowing attackers to upload malicious files to the server; (3) Arbitrary file downloads, enabling attackers to exfiltrate sensitive files; (4) Cross-site scripting (XSS) attacks through compromised ViewState; (5) Compromise of encrypted session data and authentication tokens; (6) Complete takeover of the affected ASP.NET application. (Progress Software Advisory, Telerik Security Advisory)
Mitigation et contournements
For Telerik UI for ASP.NET AJAX: Upgrade to R2 2017 SP1 (2017.2.503) or a later version. This release includes improved cryptographic key protection and proper encryption of sensitive parameters. For Sitefinity: Upgrade to version 10.0.6412.0 or later. Both upgrades include patches that properly encrypt and protect the DialogParametersEncryptionKey and ensure MachineKey is not exposed through this vulnerability vector. (Progress Software, Telerik) Les versions suivantes incluent les correctifs nécessaires : Telerik UI for ASP.NET AJAX: R2 2017 SP1 and later, Sitefinity: 10.0.6412.0 and later.
Comme contournements temporaires : implement network-level access controls to restrict access to telerik ui endpoints and dialogs. use web application firewalls (waf) with rules to detect and block attempts to exploit dialogparameters encryption vulnerabilities.; disable telerik ui dialogs and features that are not absolutely necessary for the application functionality. this reduces the attack surface.; implement custom encryption for sensitive data in viewstate and session tokens in addition to the application-level protections. use additional cryptographic layers beyond asp.net's default mechanisms., et monitor for suspicious file upload/download activities and unusual viewstate modifications. implement robust logging of cryptographic operations..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
