Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Telerik.Web.UI.dll Cryptographic Weakness - Vulnerability Database

Telerik.Web.UI.dll Cryptographic Weakness

Description

A third party organization has identified a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to the disclosure of encryption keys (Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey).

Remediation

To ensure your application is not exposed to such a risk, there are the following mitigation paths: <ul> <li>Use a patch for versions between Q1 2013 (2013.1.220) and R2 2017 (2017.2.503).</li> <li>Use a patch for some versions between Q1 2011 (2011.1.315) and Q3 2012 SP2(2012.3.1308).</li> <li>If you are on active maintenance, upgrade to R2 2017 SP1 (2017.2.621) or later.</li> <li>Prevent access to the Telerik Dialog Handler.</li> </ul>

References

Cryptographic Weakness
Pwning Web Applications via Telerik Web UI
Telerik UI for ASP.NET AJAX Release History
Telerik RadAsyncUpload Security Documentation

Related Vulnerabilities

HTTPS connection uses outdated TLS version Medium
Common tags: Weak Crypto
WordPress plugin WPtouch insecure nonce generation High
Common tags: Weak Crypto
TLS/SSL Sweet32 attack Medium
Common tags: Weak Crypto
TLS/SSL (EC)DHE Key Reuse Information
Common tags: Weak Crypto
SSL/TLS Not Implemented Medium
Common tags: Weak Crypto

Severity

High

Classification

CVE-2017-9248
CWE-338
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Weak Crypto