Description

A third party organization has identified a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to the disclosure of encryption keys (Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey).

Remediation

To ensure your application is not exposed to such a risk, there are the following mitigation paths:

  • Use a patch for versions between Q1 2013 (2013.1.220) and R2 2017 (2017.2.503).
  • Use a patch for some versions between Q1 2011 (2011.1.315) and Q3 2012 SP2(2012.3.1308).
  • If you are on active maintenance, upgrade to R2 2017 SP1 (2017.2.621) or later.
  • Prevent access to the Telerik Dialog Handler.

References

Cryptographic Weakness

Pwning Web Applications via Telerik Web UI

Telerik UI for ASP.NET AJAX Release History

Telerik RadAsyncUpload Security Documentation

Related Vulnerabilities

WordPress plugin WPtouch insecure nonce generation

Insecure Transportation Security Protocol Supported (SSLv3)

Insecure Transportation Security Protocol Supported (TLS 1.1)

The Heartbleed Bug

Padding oracle attack

Severity

High

Classification

CVE-2017-9248 CWE-338 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Weak Crypto