Alert - Active Exploitation of the Telerik UI for ASP.NET AJAX

Number: AL19-010
Date: 29 May 2019

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Assessment

The Cyber Centre is currently aware of publicly available exploits being leveraged against websites that use the Telerik UI for ASP.NET AJAX. The Telerik UI is used to add User Interface InterfaceA boundary across which two systems communicate. An interface might be a hardware connector used to link to other devices, or it might be a convention used to allow communication between two software systems. elements to websites and web applications. The vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. is the result of a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to the disclosure of encryption EncryptionConverting information from one form to another to hide its content and prevent unauthorized access. keys. The successful exploitation of this vulnerability could result in cross-site-scripting (XSS) compromises, the leak of cryptographic MachineKeys, the compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. of the ASP.NET ViewState, and could allow arbitrary file uploads and downloads. This vulnerability can be referenced by CVE-2017-9248, CVE-2017-11317, and CVE-2017-11357. The vulnerable versions of Telerik UI for ASP.NET AJAX are any versions published between 2007 and 2017. Telerik has issued a patch to address this vulnerability.

It should be noted that Telerik is sometimes installed as a third party component and thus it may be present unbeknownst to the administrator. Administrators may need to manually check for the presence of this .dll, as outlined in the suggested actions below.

Suggested actions

• Identify devices with Telerik installed. As the vulnerability is specific to the Telerik.Web.UI.dll file, searching for this file in the web application root directory can be helpful in determining whether Telerik is being used and, if so, what version. The Australian Cyber Security Centre has provided a sample PowerShell script (see APPENDIX A) that may prove useful in determining the existence of vulnerable Telerik.Web.UI.dll files within a given directory.
• An alternative or complement to the suggested action above is to scrutinize web server and/or web application logs for Telerik resources being requested. Specifically, the following resources are requested through HTTP GET and POST requests when using the publically available exploitation technique: Telerik.Web.UI.DialogHandler.aspx and Telerik.Web.UI.WebResource.axd.
• Once devices with Telerik installed have been identified, system administrators are encouraged to review the following Telerik Knowledgebase Article and apply the necessary updates, including generating new encryption keys for the UI and MachineKey: https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness

Appendix A - PowerShell script to locate Telerik.Web.UI.dll files

[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[String]$searchDir
)
# Vulnerable versions listed in Burp Suite extension Telewreck.py
# Available at https://github.com/capt-meelo/Telewreck/blob/master/telewreck.py
$VULN_VERSIONS = @(
'2007.1423', '2007.1521', '2007.1626', '2007.2918', '2007.21010', '2007.21107', '2007.31218', '2007.31314', '2007.31425',
'2008.1415', '2008.1515', '2008.1619', '2008.2723', '2008.2826',
'2008.21001', '2008.31105', '2008.31125', '2008.31314',
'2009.1311', '2009.1402', '2009.1527', '2009.2701', '2009.2826', '2009.31103', '2009.31208', '2009.31314',
'2010.1309', '2010.1415', '2010.1519', '2010.2713', '2010.2826',
'2010.2929', '2010.31109', '2010.31215', '2010.31317',
'2011.1315', '2011.1413', '2011.1519', '2011.2712', '2011.2915', '2011.31115', '2011.3.1305',
'2012.1.215', '2012.1.411', '2012.2.607', '2012.2.724', '2012.2.912',
'2012.3.1016', '2012.3.1205', '2012.3.1308',
'2013.1.220', '2013.1.403', '2013.1.417', '2013.2.611', '2013.2.717',
'2013.3.1015', '2013.3.1114', '2013.3.1324',
'2014.1.225', '2014.1.403', '2014.2.618', '2014.2.724', '2014.3.1024',
'2015.1.204', '2015.1.225', '2015.1.401', '2015.2.604', '2015.2.623',
'2015.2.729', '2015.2.826', '2015.3.930', '2015.3.1111',
'2016.1.113', '2016.1.225', '2016.2.504', '2016.2.607', '2016.3.914',
'2016.3.1018', '2016.3.1027',
'2017.1.118', '2017.1.228', '2017.2.503', '2017.2.621', '2017.2.711',
'2017.3.913'
)
Get-ChildItem -Path $searchDir -Filter Telerik.Web.UI.dll -Recurse -ErrorAction SilentlyContinue -Force | foreach-object {
# In ACSC samples of the Telerik.Web.UI.dll the version number is 4 "octets" (e.g. '2014.2.724.45'), PowerShell reports this as "Major"."Minor"."Build"."Revision".
# Telewreck crafts requests using version numbers between 2 and 3 octets long, it is assumed that all revisions are vulnerable.
if ($_.VersionInfo.FileMajorPart -lt 2012) {
$SimplifiedFileVersion = ($_.VersionInfo.FileVersion | Select-String -Pattern "\d{4}\.\d{4,5}").Matches.Value
} else {
$SimplifiedFileVersion = ($_.VersionInfo.FileVersion | Select-String -Pattern "\d{4}\.\d{1}\.\d{3,4}").Matches.Value
}
if ($VULN_VERSIONS -contains $SimplifiedFileVersion) {
Write-Host -ForegroundColor Red "Vulnerable Telerik.Web.UI.dll identified at '$($_.FullName)'. Version number $($_.VersionInfo.FileVersion)' matches version '$($SimplifiedFileVersion)' in Telewreck."
} else {
if ($_.VersionInfo.FileMajorPart -lt 2018) {
Write-Host -ForegroundColor Yellow "Potentially vulnerable Telerik.Web.UI.dll identified at '$($_.FullName)'. Version number '$($_.VersionInfo.FileVersion)' is not included in the Telewreck 
vulnerable versions, but falls within timeframe of vulnerable versions."
} else {
Write-Host -ForegroundColor Green "Telerik.Web.UI.dll identified at '$($_.FullName)'. Version number '$($_.VersionInfo.FileVersion)' is not included in the Telewreck vulnerable versions and falls outside of the vulnerability timeframes."
}
}
}

References

Telerik Security Alert: https://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity

Australian Cyber Security Centre Advisory 2019-126: https://www.cyber.gov.au/publications/Advisory-2019-126

Note to readers

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure Critical infrastructureProcesses, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. , Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.