Telerik Web UI Unrestricted File Upload (CVE-2017-11317)
Description
Telerik UI for ASP.NET AJAX contains a critical vulnerability in the RadAsyncUpload component that uses weak, static, or publicly known encryption keys to protect file upload operations. Attackers can exploit these predictable encryption keys to bypass security controls and upload malicious files to the server without authentication. This vulnerability affects multiple versions of Telerik UI and can be exploited remotely over the network.
This vulnerability check uses both active exploitation attempts and passive version detection. When a vulnerable Telerik UI version is identified but exploitation cannot be confirmed, the confidence level is set to 80%. When the vulnerability is successfully exploited and verified, the confidence level is set to 100%, regardless of whether the specific version was previously known to be vulnerable.
Remediation
Take the following steps to remediate this vulnerability:
1. Upgrade Telerik UI for ASP.NET AJAX to the latest version available from the Telerik Release History page. Versions released after the disclosure of CVE-2017-11317 contain security fixes for this issue.
2. Configure custom encryption keys in your web.config file to replace the default keys. Add or update the following configuration with strong, randomly generated keys:
<appSettings> <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR-STRONG-RANDOM-KEY-HERE" /> <add key="Telerik.Upload.ConfigurationHashKey" value="YOUR-STRONG-RANDOM-KEY-HERE" /> <add key="Telerik.Web.UI.DialogParametersEncryptionKey" value="YOUR-STRONG-RANDOM-KEY-HERE" /> </appSettings>
3. Implement file upload restrictions by configuring allowed file extensions and maximum file sizes in the RadAsyncUpload control settings.
4. Review and apply all security recommendations from the official RadAsyncUpload Security Guide, including disabling the control if file upload functionality is not required.
5. Scan for indicators of compromise by reviewing web server logs and uploaded files directories for suspicious activity or unauthorized files that may have been uploaded prior to remediation.