Overview
Telerik UI for ASP.NET AJAX and Sitefinity contain a cryptographic protection bypass vulnerability caused by improper protection of DialogParametersEncryptionKey or MachineKey. This vulnerability allows remote attackers to defeat cryptographic mechanisms, potentially leading to MachineKey disclosure, arbitrary file operations, cross-site scripting (XSS), and ViewState compromise. (NVD) The vulnerability was disclosed on July 3, 2017. CISA has identified CVE-2017-9248 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
The vulnerability stems from improper protection and encryption of sensitive cryptographic keys used in Telerik UI for ASP.NET AJAX and Sitefinity. The DialogParametersEncryptionKey and/or MachineKey are not adequately protected or encrypted, allowing attackers to extract or derive these keys. Once obtained, these keys can be leveraged to bypass cryptographic mechanisms that protect various components of the application. (NVD, Progress Software Security Advisory)
The vulnerability is classified as CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) , CWE-330 (Use of Insufficiently Random Values) , CWE-326 (Inadequate Encryption Strength) , CWE-311 (Missing Encryption of Sensitive Data) andCWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation of this vulnerability can lead to multiple critical impacts: (1) MachineKey disclosure/derivation, which can compromise all cryptographic protections in the ASP.NET application; (2) Arbitrary file uploads, allowing attackers to upload malicious files to the server; (3) Arbitrary file downloads, enabling attackers to exfiltrate sensitive files; (4) Cross-site scripting (XSS) attacks through compromised ViewState; (5) Compromise of encrypted session data and authentication tokens; (6) Complete takeover of the affected ASP.NET application. (Progress Software Advisory, Telerik Security Advisory)
Mitigation and workarounds
For Telerik UI for ASP.NET AJAX: Upgrade to R2 2017 SP1 (2017.2.503) or a later version. This release includes improved cryptographic key protection and proper encryption of sensitive parameters. For Sitefinity: Upgrade to version 10.0.6412.0 or later. Both upgrades include patches that properly encrypt and protect the DialogParametersEncryptionKey and ensure MachineKey is not exposed through this vulnerability vector. (Progress Software, Telerik) The following versions include the necessary fixes: Telerik UI for ASP.NET AJAX: R2 2017 SP1 and later, Sitefinity: 10.0.6412.0 and later.
As temporary workarounds: implement network-level access controls to restrict access to telerik ui endpoints and dialogs. use web application firewalls (waf) with rules to detect and block attempts to exploit dialogparameters encryption vulnerabilities.; disable telerik ui dialogs and features that are not absolutely necessary for the application functionality. this reduces the attack surface.; implement custom encryption for sensitive data in viewstate and session tokens in addition to the application-level protections. use additional cryptographic layers beyond asp.net's default mechanisms., and monitor for suspicious file upload/download activities and unusual viewstate modifications. implement robust logging of cryptographic operations..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
