Feedback
Did this article resolve your question/issue?

   

Article

Blue Mockingbird and what it means for Sitefinity

« Go Back

Information

 
TitleBlue Mockingbird and what it means for Sitefinity
URL NameBlue-Mockingbird-and-what-it-means-for-Sitefinity
Article Number000193769
EnvironmentProduct: Sitefinity
Version: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x
OS: All supported OS versions
Database: All supported Microsoft SQL Server versions
Question/Problem Description

The Blue Mockingbird is a malware attack, which is compromising the security of many web applications, including Microsoft Information Services, SharePoint and Citrix. The attack is also targeting old Telerik UI vulnerabilities that have already been patched. 

The attack often uses the known vulnerabilities CVE-2017-11317 and CVE-2019-18935  They are already fixed, when they were found, and Progress notified customers with instructions and mitigation steps. 

Sitefinity uses Telerik UI for ASP.NET AJAX components and Telerik.Web.UI dll is shipped as part of the Sitefinity solution. The following guidance should be followed, to make sure Sitefinity is not using an unpatched version of the Telerik.Web.UI dll. 

Steps to Reproduce
Clarifying Information
Error Message
Defect Number
Enhancement Number
Cause
Resolution

For the highest security, we recommend an upgrade to the latest Progress Sitefinity CMS release.   

 

Actions required: 

---->  For versions 13.0 and up -  No action required 

Sitefinity 13.0.7300 is using Telerik.Web.UI version 2020.1.114 which is not vulnerable against arbitrary file upload. 


----> For versions 10.2 to until 12.2  

Those versions are using patched Telerik.Web.UI versions, but require the use of unique encryption keys in the web.config file:  

Telerik.AsyncUpload.ConfigurationEncryptionKey 

Telerik.Upload.ConfigurationHashKey  

Telerik.Web.UI.DialogParametersEncryptionKey 

 

How to Apply encryption keys in the web.config file:
 

Sitefinity has provided a form to facilitate the insertion and generation of the needed keys in the web.config file: 

1. Download this web form:  

https://gist.github.com/sitefinitySDK/ce7e7f672ba9ee63e6b502a3ed9cfdab#file-bluemockingbirdskeys-aspx 

2. Put it on the root folder of your project. 

3. Navigate to yoursite.com/bluemockingbirdskeys.aspx 

4. Click on the button to allow for the keys to be automatically inserted 

5. Double-check that the web.config has the values inserted. They should look like this: 

<add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="*******" /> 

<add key="Telerik.Upload.ConfigurationHashKey" value="*******" /> 

<add key="Telerik.Web.UI.DialogParametersEncryptionKey" value=****>
 

Note : For optimal security, we highly recommend upgrading to the latest available patch.

 

----> For versions 7.0 until 10.1 

-> Upgrade Sitefinity to the following versions and apply the keys in the web.config as follows*

       I. Upgrade Sitefinity, to the latest patch available to your version. 

Progress article 000193776  How to apply the latest available patch?

       II. Update the keys: 

1. Download this webform:  

https://gist.github.com/sitefinitySDK/ce7e7f672ba9ee63e6b502a3ed9cfdab#file-bluemockingbirdskeys-aspx 

2. Put it on the root folder of your project. 

3. Navigate to yoursite.com/bluemockingbirdskeys.aspx 

4. Click on the button to allow for the keys to be automatically inserted 

5. Double-check that the web.config has the values inserted. They should look like this: 

<add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="*******" /> 

<add key="Telerik.Upload.ConfigurationHashKey" value="*******" /> 

<add key="Telerik.Web.UI.DialogParametersEncryptionKey" value=****>
Workaround
Notes
* The form will not insert new keys if they are already added. 
 

Additional references: 

Progress Article  Security Advisory Resolving Security Vulnerability CVE-2014-2217 , CVE-2017-11317 , CVE-2017-11357 , CVE-2017-9248 in Sitefinity

Telerik.Com blog, Mockingbird vulnerability https://www.telerik.com/blogs/blue-mockingbird-vulnerability-telerik-guidance 

 

Last Modified Date11/20/2020 6:52 AM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.