Overview
The Telerik Web UI, versions R2 2017 (2017.2.503) and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys.
Description
CWE-326: Inadequate Encryption Strength - CVE-2017-9248 The Telerik.Web.UI.dll is vulnerable to a cryptographic weakness which allows the attacker to extract the Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey. |
Impact
A remote, unauthenticated attacker could perform arbitrary file upload and downloads, cross-site scripting attacks, leak the MachineKey, or compromise the ASP.NET ViewState. |
Solution
Apply an update |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Temporal | 7.5 | E:ND/RL:ND/RC:ND |
| Environmental | 5.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity
- http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness
- http://www.dnnsoftware.com/community-blog/cid/155436/critical-security-update--june-2017
- http://www.dnnsoftware.com/community/security/security-center
Acknowledgements
Telerik thanks to Erlend Leiknes, security consultant in Mnemonic AS, and Thanh Van Tien Nguyen for reporting this vulnerability.
This document was written by Trent Novelly.
Other Information
| CVE IDs: | CVE-2017-9248 |
| Date Public: | 2017-06-26 |
| Date First Published: | 2017-07-25 |
| Date Last Updated: | 2017-07-25 14:21 UTC |
| Document Revision: | 13 |