Article

Security Advisory Resolving Security Vulnerability CVE-2014-2217 , CVE-2017-11317 , CVE-2017-11357 , CVE-2017-9248 in Sitefinity

« Go Back

Information

 
Article Number000082407
EnvironmentProduct: Sitefinity
Version: 5.x, 6.x, 7.x, 8.x, 9.x, 10.0, 10.1
OS: All supported OS versions
Database: All supported Microsoft SQL Server versions
Question/Problem Description
Security vulnerabilities were identified in Sitefinity CMS.

They are present in one of the assemblies distributed with Sitefinity CMS - Telerik.Web.UI.dll. The vulnerabilities affect Telerik DialogHandler and RadAsyncUpload. For more information on the nature of the vulnerabilities, check the articles below: The issues has been investigated and addressed and it is strongly recommended that one of the steps below be followed, to ensure the safety and security of your web sites.
Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number
Cause
Resolution
  • To protect your website, we encourage you to carefully review the information below and follow the steps that apply to your Sitefinity site.
  • The info presented here is informative, taking action to apply the steps in this article is desirable, but not mandatory.
  • Estimated time to complete the steps in this article 10-30 minutes.

Summary

  • All Sitefinity CMS versions should apply the provided security patch.
    • In addition to applying the patch, Sitefinity CMS versions 5.4 and higher should take the additional steps described below that are applicable to each version.
    • Sitefinity CMS sites that have applied a patch prior to August 17th, 2017 need to download and apply the updated patch.

Steps to take

For Sitefinity 10.0 and 10.1

  1. Apply the Security Patch. See section Applying the Security Patch below
  2. Update the web.config file by adding the following keys in the <appSettings> section, replacing the value parameter with a newly created key:
<appSettings>
    <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR-FIRST-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
    <add key="Telerik.Upload.ConfigurationHashKey" value="YOUR-SECOND-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
    <add key="Telerik.Web.UI.DialogParametersEncryptionKey" value="YOUR-THIRD-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
</appSettings>
     How to get the key that must populate the "YOUR-FIRST-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" entry?
     You can use any method to generate a strong key (it is like a very complex password). One of the options is to use IIS Manager functionality to generate Machine Key.
         2.1. Go Machine Key feature in IIS Manager
User-added image
2.2. Generate strong key
User-added image
            2.3. Copy the generated key to populate the value for the above keys. It is best to use distinct keys
 For more information on these keys and how you can generate them, refer to the Telerik UI for ASP.NET AJAX documentation for Security http://docs.telerik.com/devtools/aspnet-ajax/controls/editor/functionality/dialogs/security
  1. If you are using a hard-coded machine key in the web.config file we strongly recommend to generate a new one.
Note: The values of the keys described on step 2 and 3 should be unique for the app and be generated using a tool of your choice.
When <add key="Telerik.Web.DisableAsyncUploadHandler" value="true" /> is used it will disable the upload with RadAsyncUpload which is used in Administration->File Manager in the Upload button.


For Sitefinity versions 5.4 to 9.2 inclusive

  1. Apply the security patch. See section Applying the Security Patch below.
  2. Update the web.config file by adding the following keys in the <appSettings> section, replacing the value parameter with a newly created key:
<appSettings>
    <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR-FIRST-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
    <add key="Telerik.Web.UI.DialogParametersEncryptionKey" value="YOUR-THIRD-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
</appSettings>
    How to get the key that must populate the "YOUR-FIRST-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" entry?
     You can use any method to generate a strong key (it is like a very complex password). One of the options is to use IIS Manager functionality to generate Machine Key.
         2.1. Go Machine Key feature in IIS Manager
User-added image
2.2. Generate strong key
User-added image
            3.3. Copy the generated key to populate the value for the above keys. It is best to use distinct keys
 For more information on these keys and how you can generate them, refer to the Telerik UI for ASP.NET AJAX documentation for Security http://docs.telerik.com/devtools/aspnet-ajax/controls/editor/functionality/dialogs/security
  1. Turn off the “AsyncUploadHandler”. By default, these Sitefinity versions do not rely on this handler for the most part but implement a custom secured one for uploading files. The exception to this would be the File Manager feature found under Administration > File Manager, which will not work until the Sitefinity CMS is upgrade to version 10 or higher (Sitefinity documentation, upgrade procedure https://www.progress.com/documentation/sitefinity-cms/10/upgrade). 
    1. Set the “Telerik.Web.DisableAsyncUploadHandler” key in the <appSettings> section of the web.config file to true.
<appSettings>
    <add key="Telerik.Web.DisableAsyncUploadHandler" value="true" />
</appSettings>
  1. If you are using a hard-coded machine key in the web.config file we strongly recommend to generate a new one.


For Sitefinity versions 4.0 to 5.3 inclusive

  1. Apply the security patch. See section Applying the Security Patch below.
  2. Prevent POST requests to the “AsyncUploadHandler”.
    1. Change the Telerik.Web.UI.WebResource handler registration to only allow HTTP GET requests.
<system.webServer>
  <handlers>
    <remove name="Telerik_Web_UI_WebResource_axd" />
    <add name="Telerik_Web_UI_WebResource_axd" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="GET" preCondition="integratedMode" />
  </handlers>
</system.webServer>
  1. If you are using a hard-coded machine key in the web.config file we strongly recommend to generate a new one.
 Note: The values of the keys described on step 3 should be unique for the app and be generated using a tool of your choice.


For Sitefinity version below 4.0

  1. Disable access to the Telerik Dialog Handler using the steps in the Telerik UI for ASP.NET AJAX KB article, Cryptographic Weakness http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness#prevent-access
  2. Prevent POST requests to the “AsyncUploadHandler
    1. Change the Telerik.Web.UI.WebResource handler registration to only allow HTTP GET requests
 NOTE: this setting will disable the functionality to upload a file from Administration->File Manager. To use this functionality again it is recommended to upgrade to upgrade to an upper Sitefinity version preferably Sitefinity 10.2 and above to benefit from this functionality  (Sitefinity documentation, upgrade procedure https://www.progress.com/documentation/sitefinity-cms/10/upgrade) . 
<system.webServer>
  <handlers>
    <remove name="Telerik_Web_UI_WebResource_axd" />
    <add name="Telerik_Web_UI_WebResource_axd" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="GET" preCondition="integratedMode" />
  </handlers>
</system.webServer>
  1. If you are using a hard-coded machine key in the web.config file we strongly recommend to generate a new one.
Note: The values of the keys described on step 3 should be unique for the app and be generated using a tool of your choice.

Note: A Sitefinity upgrade to the latest version is always recommended to get the latest fixes and additional settings to protect your website.


Applying the Security Patch

Who should apply the Security Patch

  • If the patch was already applied after August 17th, 2017, skip this section.
  • If no patch has been applied, proceed with the steps below
  • If the patch was applied prior to August 17th, 2017, you need to apply the newer version following the steps below. 


How to apply the Security Patch

Security patches are provided for Sitefinity versions 4.0 and above that are distributed in the form of ZIP files and available for download in your Sitefinity.com account (https://www.telerik.com/account/my-downloads?pid=725): 
  1. Go to the downloads page and choose "Sitefinity CMS"
  2. On the next page in the "Versions" dropdown choose the Sitefinity version your website uses
 Patch location
  1. In the Patch section download the .zip file named "SecurityPatch_<VersionNumber>.zip"
The patch contains a single binary file – Telerik.Web.UI.dll – and uses the same build version as the original Telerik.Web.UI.dll assembly used in your site.There’s no need to rebuild your Sitefinity code or add <bindingRedirect> elements to the web.config file. Download the patch, extract its contents and directly paste it in your Sitefinity website's /bin folder, replacing the existing Telerik.Web.UI.dll file. Your website will restart and will start using the patched Telerik.Web.UI code. 

If your Sitefinity website is running on one of the Sitefinity internal builds (http://www.sitefinity.com/developer-network/forums/internal-builds), follow the same approach outlined in the paragraph above.  Please note that the patches in Your Account are listed for official versions only. If you are running on an internal build of a particular Sitefinity version, please download the patch for the respective major version. For example, if your website is running on the latest internal build for version 9.1 (9.1.6151), download the patch for version 9.1 official (9.1.6100) -  SecurityPatch_9_1_6100.zip from Your Account.
 

Check if the patch is applied

To check if the patch is applied to the site go to the /bin folder of the site and locate Telerik.Web.UI.dll and right click it. Go to Properties and then Details . The File Description must state "Telerik.Web.UI.Sitefinity.Patch".


Additional information

For more information about the encryption and hash key settings in the web.config files refer to Telerik UI for ASP.NET AJAX documentation for Async Upload Security http://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security

For more information about the DialogParametersEncryptionKey refer to Telerik UI for ASP.NET AJAX documentation for Editor Security http://docs.telerik.com/devtools/aspnet-ajax/controls/editor/functionality/dialogs/security

Make sure to go through the specifics, security recommendations and enhancements related to different versions of Telerik.Web.UI.dll from the below KB articles:

Cryptographic Weakness

http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness

Unrestricted File Upload

http://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload

Insecure Direct Object Reference

http://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/insecure-direct-object-reference
Workaround
Notes
You must be a Sitefinity license holder (Download Sitefinity license) to access the patch ZIP files. Also, the patches for versions released prior to Sitefinity CMS 6.3 are not available on the Sitefinity NuGet feed. If the project is using NuGet then clean the NuGet cache from the server and local machine to get the patched assembly.

BEFORE downloading and applying the patch to a production environment, ensure that the following has been met:
  • Create a backup of the project and database.
  • Successfully patch a dev or testing environment in order to ensure that the site is working.

References to Other Documentation:

To clear the NuGet cache, see Microsoft documentation, Managing the NuGet cache https://docs.microsoft.com/en-us/nuget/consume-packages/managing-the-nuget-cache

Progress Article(s):

000071864 Where to find the hot fix, internal builds and patches for download
External References
CVE-2014-2217
CVE-2017-11317
CVE-2017-11357
CVE-2017-9248


*Hotfix will disable some controls and there is no reversion method. The only way to re-enable control is to uninstall, reinstall or upgrade. 
Attachment 
Last Modified Date3/27/2019 3:46 PM


Feedback
 
Did this article resolve your question/issue?

   

Your feedback is appreciated.

Please tell us how we can make this article more useful. Please provide us a way to contact you, should we need clarification on the feedback provided or if you need further assistance.

Characters Remaining: 1025