Overview
Progress Telerik UI for ASP.NET AJAX contains a weak encryption vulnerability in the RadAsyncUpload component that allows remote attackers to perform arbitrary file uploads and execute arbitrary code. The vulnerability stems from improper encryption implementation in the async upload handling mechanism. The vulnerability was disclosed on August 23, 2017. CISA has identified CVE-2017-11317 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
The RadAsyncUpload component in Telerik UI for ASP.NET AJAX uses weak encryption for handling file uploads, allowing attackers to bypass security controls. The vulnerability allows remote attackers to upload arbitrary files to the server or execute arbitrary code by crafting malicious requests that exploit the weak encryption scheme used to validate and process uploaded files.
The vulnerability is classified as CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) andCWE-434 (Unrestricted Upload of File with Dangerous Type) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
An unauthenticated remote attacker can upload arbitrary files to the web server, potentially leading to remote code execution. This could allow attackers to compromise the entire application and underlying server, steal sensitive data, modify application logic, or launch further attacks on the infrastructure.
Mitigation and workarounds
Progress Software released patches through the following versions: Update to R1 2017 SP1 or later for the R1 branch, or update to R2 2017 SP2 or later for the R2 branch. Patches are available through the Telerik UI for ASP.NET AJAX NuGet package or direct download from the Progress Software portal. The following versions include the necessary fixes: R1 2017 SP1, R2 2017 SP2.
As temporary workarounds: disable the radasyncupload component if not in use, or restrict access to pages using radasyncupload through ip whitelisting or authentication mechanisms.; implement web application firewall (waf) rules to detect and block suspicious radasyncupload requests with unusual parameters or patterns., and implement file upload validation at the application level, including strict file type checking, file size limits, and scanning uploaded files with antivirus/malware detection tools..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
