Alert - Active Exploitation of the Telerik UI for ASP.NET AJAX

Number: AL19-010
Date: 29 May 2019

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Assessment

The Cyber Centre is currently aware of publicly available exploits being leveraged against websites that use the Telerik UI for ASP.NET AJAX. The Telerik UI is used to add User Interface elements to websites and web applications. The vulnerability is the result of a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to the disclosure of encryption keys. The successful exploitation of this vulnerability could result in cross-site-scripting (XSS) compromises, the leak of cryptographic MachineKeys, the compromise of the ASP.NET ViewState, and could allow arbitrary file uploads and downloads. This vulnerability can be referenced by CVE-2017-9248, CVE-2017-11317, and CVE-2017-11357. The vulnerable versions of Telerik UI for ASP.NET AJAX are any versions published between 2007 and 2017. Telerik has issued a patch to address this vulnerability.

It should be noted that Telerik is sometimes installed as a third party component and thus it may be present unbeknownst to the administrator. Administrators may need to manually check for the presence of this .dll, as outlined in the suggested actions below.

Suggested actions

  • Identify devices with Telerik installed. As the vulnerability is specific to the Telerik.Web.UI.dll file, searching for this file in the web application root directory can be helpful in determining whether Telerik is being used and, if so, what version. The Australian Cyber Security Centre has provided a sample PowerShell script (see APPENDIX A) that may prove useful in determining the existence of vulnerable Telerik.Web.UI.dll files within a given directory.
  • An alternative or complement to the suggested action above is to scrutinize web server and/or web application logs for Telerik resources being requested. Specifically, the following resources are requested through HTTP GET and POST requests when using the publically available exploitation technique: Telerik.Web.UI.DialogHandler.aspx and Telerik.Web.UI.WebResource.axd.
  • Once devices with Telerik installed have been identified, system administrators are encouraged to review the following Telerik Knowledgebase Article and apply the necessary updates, including generating new encryption keys for the UI and MachineKey: https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness

Appendix A - PowerShell script to locate Telerik.Web.UI.dll files

[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[String]$searchDir
)
# Vulnerable versions listed in Burp Suite extension Telewreck.py
# Available at https://github.com/capt-meelo/Telewreck/blob/master/telewreck.py
$VULN_VERSIONS = @(
'2007.1423', '2007.1521', '2007.1626', '2007.2918', '2007.21010', '2007.21107', '2007.31218', '2007.31314', '2007.31425',
'2008.1415', '2008.1515', '2008.1619', '2008.2723', '2008.2826',
'2008.21001', '2008.31105', '2008.31125', '2008.31314',
'2009.1311', '2009.1402', '2009.1527', '2009.2701', '2009.2826', '2009.31103', '2009.31208', '2009.31314',
'2010.1309', '2010.1415', '2010.1519', '2010.2713', '2010.2826',
'2010.2929', '2010.31109', '2010.31215', '2010.31317',
'2011.1315', '2011.1413', '2011.1519', '2011.2712', '2011.2915', '2011.31115', '2011.3.1305',
'2012.1.215', '2012.1.411', '2012.2.607', '2012.2.724', '2012.2.912',
'2012.3.1016', '2012.3.1205', '2012.3.1308',
'2013.1.220', '2013.1.403', '2013.1.417', '2013.2.611', '2013.2.717',
'2013.3.1015', '2013.3.1114', '2013.3.1324',
'2014.1.225', '2014.1.403', '2014.2.618', '2014.2.724', '2014.3.1024',
'2015.1.204', '2015.1.225', '2015.1.401', '2015.2.604', '2015.2.623',
'2015.2.729', '2015.2.826', '2015.3.930', '2015.3.1111',
'2016.1.113', '2016.1.225', '2016.2.504', '2016.2.607', '2016.3.914',
'2016.3.1018', '2016.3.1027',
'2017.1.118', '2017.1.228', '2017.2.503', '2017.2.621', '2017.2.711',
'2017.3.913'
)
Get-ChildItem -Path $searchDir -Filter Telerik.Web.UI.dll -Recurse -ErrorAction SilentlyContinue -Force | foreach-object {
# In ACSC samples of the Telerik.Web.UI.dll the version number is 4 "octets" (e.g. '2014.2.724.45'), PowerShell reports this as "Major"."Minor"."Build"."Revision".
# Telewreck crafts requests using version numbers between 2 and 3 octets long, it is assumed that all revisions are vulnerable.
if ($_.VersionInfo.FileMajorPart -lt 2012) {
$SimplifiedFileVersion = ($_.VersionInfo.FileVersion | Select-String -Pattern "\d{4}\.\d{4,5}").Matches.Value
} else {
$SimplifiedFileVersion = ($_.VersionInfo.FileVersion | Select-String -Pattern "\d{4}\.\d{1}\.\d{3,4}").Matches.Value
}
if ($VULN_VERSIONS -contains $SimplifiedFileVersion) {
Write-Host -ForegroundColor Red "Vulnerable Telerik.Web.UI.dll identified at '$($_.FullName)'. Version number $($_.VersionInfo.FileVersion)' matches version '$($SimplifiedFileVersion)' in Telewreck."
} else {
if ($_.VersionInfo.FileMajorPart -lt 2018) {
Write-Host -ForegroundColor Yellow "Potentially vulnerable Telerik.Web.UI.dll identified at '$($_.FullName)'. Version number '$($_.VersionInfo.FileVersion)' is not included in the Telewreck 
vulnerable versions, but falls within timeframe of vulnerable versions."
} else {
Write-Host -ForegroundColor Green "Telerik.Web.UI.dll identified at '$($_.FullName)'. Version number '$($_.VersionInfo.FileVersion)' is not included in the Telewreck vulnerable versions and falls outside of the vulnerability timeframes."
}
}
}

References

Telerik Security Alert: https://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity

Australian Cyber Security Centre Advisory 2019-126: https://www.cyber.gov.au/publications/Advisory-2019-126

Note to readers

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Date modified: