Progress KB - Security Advisory Resolving Security Vulnerability CVE-2014-2217 , CVE-2017-11317 , CVE-2017-11357 , CVE-2017-9248 in Sitefinity




Feedback
Did this article resolve your question/issue?

   

Article

Security Advisory Resolving Security Vulnerability CVE-2014-2217 , CVE-2017-11317 , CVE-2017-11357 , CVE-2017-9248 in Sitefinity

« Go Back

Information

 
TitleSecurity Advisory Resolving Security Vulnerability CVE-2014-2217 , CVE-2017-11317 , CVE-2017-11357 , CVE-2017-9248 in Sitefinity
URL Nameresolving-security-vulnerability-cve-2017-9248
Article Number000189057
EnvironmentProduct: Sitefinity
Version: 5.x, 6.x, 7.x, 8.x, 9.x, 10.0, 10.1
OS: All supported OS versions
Database: All supported Microsoft SQL Server versions
Question/Problem Description
Security vulnerabilities were identified in Sitefinity CMS.

They are present in one of the assemblies distributed with Sitefinity CMS - Telerik.Web.UI.dll. The vulnerabilities affect Telerik DialogHandler and RadAsyncUpload. For more information on the nature of the vulnerabilities, check the articles below: The issues have been investigated and addressed and it is strongly recommended that the steps below depending on the Sitefinity version be followed, to ensure the safety and security of your web sites.
Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number
Cause
Resolution

For the highest security, we recommend an upgrade to the latest Progress Sitefinity CMS release.   

 

Actions required: 

-----> For versions 13.0 and up -  No action required 

Sitefinity 13.0.7300 is using Telerik.Web.UI version 2020.1.114 which is not vulnerable against arbitrary flie upload. 

 

-----> For versions 10.2 to until 12.2  

Those versions are using patched Telerik.Web.UI versions, but require the use of unique encryption keys in the web.config file. 

 

Apply encryption keys in the web.config file. 

Sitefinity has provided a form to facilitate the insertion and generation of the needed keys in the web.config file: 

1. Download this web form:  

https://gist.github.com/sitefinitySDK/ce7e7f672ba9ee63e6b502a3ed9cfdab#file-bluemockingbirdskeys-aspx 

2. Put it on the root folder of your project. 

3. Navigate to yoursite.com/bluemockingbirdskeys.aspx 

4. Click on the button to allow for the keys to be automatically inserted 

 

Note : For optimal security, we still recommend upgrading to the latest available patch 

 

---> For versions 7.0 until 10.1 

-> Upgrade Sitefinity to the following versions and apply the keys in the web.config as follows** 

I.  Upgrade Sitefinity, to the latest patch available to your version. 

000193776, How to apply the latest available patch?

 

II.  Apply the keys:
1. Download this web form:  

https://gist.github.com/sitefinitySDK/ce7e7f672ba9ee63e6b502a3ed9cfdab#file-bluemockingbirdskeys-aspx 

2. Put it on the root folder of your project. 

3. Navigate to yoursite.com/bluemockingbirdskeys.aspx 

4. Click on the button to allow for the keys to be automatically inserted 

 

** 

Alternatively, the keys can be added manually :  ​​​​


Update the web.config file by adding the following keys in the <appSettings> section, replacing the value parameter with a newly created key:
<appSettings>
    <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR-FIRST-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
    <add key="Telerik.Upload.ConfigurationHashKey" value="YOUR-SECOND-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
    <add key="Telerik.Web.UI.DialogParametersEncryptionKey" value="YOUR-THIRD-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
</appSettings>
     How to get the key that must populate the "YOUR-FIRST-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" entry?
     You can use any method to generate a strong key (it is like a very complex password). One of the options is to use IIS Manager functionality to generate Machine Key.
         2.1. Go Machine Key feature in IIS Manager
User-added image
2.2. Generate strong key
User-added image
            2.3. Copy the generated key to populate the value for the above keys. It is best to use distinct keys
 For more information on these keys and how you can generate them, refer to the Telerik UI for ASP.NET AJAX documentation for Security http://docs.telerik.com/devtools/aspnet-ajax/controls/editor/functionality/dialogs/security
  1. If you are using a hard-coded machine key in the web.config file we strongly recommend to generate a new one.
Note: The values of the keys described on step 2 and 3 should be unique for the app and be generated using a tool of your choice.
When <add key="Telerik.Web.DisableAsyncUploadHandler" value="true" /> is used it will disable the upload with RadAsyncUpload which is used in Administration->File Manager in the Upload button.

 


    For Sitefinity versions 4.0 to 5.3 inclusive

    1. Apply the security patch. See section Applying the Security Patch below.
    2. Prevent POST requests to the “AsyncUploadHandler”.
      1. Change the Telerik.Web.UI.WebResource handler registration to only allow HTTP GET requests.
    <system.webServer>
      <handlers>
        <remove name="Telerik_Web_UI_WebResource_axd" />
        <add name="Telerik_Web_UI_WebResource_axd" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="GET" preCondition="integratedMode" />
      </handlers>
    </system.webServer>
    1. If you are using a hard-coded machine key in the web.config file we strongly recommend to generate a new one.
     Note: The values of the keys described on step 3 should be unique for the app and be generated using a tool of your choice.


    For Sitefinity version below 4.0

    1. Disable access to the Telerik Dialog Handler using the steps in the Telerik UI for ASP.NET AJAX KB article, Cryptographic Weakness http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness#prevent-access
    2. Prevent POST requests to the “AsyncUploadHandler
      1. Change the Telerik.Web.UI.WebResource handler registration to only allow HTTP GET requests
     NOTE: this setting will disable the functionality to upload a file from Administration->File Manager. To use this functionality again it is recommended to upgrade to upgrade to an upper Sitefinity version preferably Sitefinity 10.2 and above to benefit from this functionality  (Sitefinity documentation, upgrade procedure https://www.progress.com/documentation/sitefinity-cms/10/upgrade) . 
    <system.webServer>
      <handlers>
        <remove name="Telerik_Web_UI_WebResource_axd" />
        <add name="Telerik_Web_UI_WebResource_axd" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="GET" preCondition="integratedMode" />
      </handlers>
    </system.webServer>
    1. If you are using a hard-coded machine key in the web.config file we strongly recommend to generate a new one.
    Note: The values of the keys described on step 3 should be unique for the app and be generated using a tool of your choice.

    Note: A Sitefinity upgrade to the latest version is always recommended to get the latest fixes and additional settings to protect your website.


    Applying the Security Patch (DEPRECATED)

    Who should apply the Security Patch

    • If the patch was already applied after August 17th, 2017, skip this section.
    • If no patch has been applied, proceed with the steps below
    • If the patch was applied prior to August 17th, 2017, you need to apply the newer version following the steps below. 


    How to apply the Security Patch

    Security patches are provided for Sitefinity versions 4.0 and above that are distributed in the form of ZIP files and available for download in your Sitefinity.com account (https://www.telerik.com/account/my-downloads?pid=725): 
    1. Go to the downloads page and choose "Sitefinity CMS"
    2. On the next page in the "Versions" dropdown choose the Sitefinity version your website uses
     Patch location
    1. In the Patch section download the .zip file named "SecurityPatch_<VersionNumber>.zip"
    The patch contains a single binary file – Telerik.Web.UI.dll – and uses the same build version as the original Telerik.Web.UI.dll assembly used in your site.There’s no need to rebuild your Sitefinity code or add <bindingRedirect> elements to the web.config file. Download the patch, extract its contents and directly paste it in your Sitefinity website's /bin folder, replacing the existing Telerik.Web.UI.dll file. Your website will restart and will start using the patched Telerik.Web.UI code. 

    If your Sitefinity website is running on one of the Sitefinity internal builds (http://www.sitefinity.com/developer-network/forums/internal-builds), follow the same approach outlined in the paragraph above.  Please note that the patches in Your Account are listed for official versions only. If you are running on an internal build of a particular Sitefinity version, please download the patch for the respective major version. For example, if your website is running on the latest internal build for version 9.1 (9.1.6151), download the patch for version 9.1 official (9.1.6100) -  SecurityPatch_9_1_6100.zip from Your Account.
     

    Check if the patch is applied

    To check if the patch is applied to the site go to the /bin folder of the site and locate Telerik.Web.UI.dll and right click it. Go to Properties and then Details . The File Description must state "Telerik.Web.UI.Sitefinity.Patch".


    Additional information

    For more information about the encryption and hash key settings in the web.config files refer to Telerik UI for ASP.NET AJAX documentation for Async Upload Security http://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security

    For more information about the DialogParametersEncryptionKey refer to Telerik UI for ASP.NET AJAX documentation for Editor Security http://docs.telerik.com/devtools/aspnet-ajax/controls/editor/functionality/dialogs/security

    Make sure to go through the specifics, security recommendations and enhancements related to different versions of Telerik.Web.UI.dll from the below KB articles:

    Cryptographic Weakness

    http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness

    Unrestricted File Upload

    http://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload

    Insecure Direct Object Reference

    http://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/insecure-direct-object-reference
    Workaround
    Notes
    You must be a Sitefinity license holder (Download Sitefinity license) to access the patch ZIP files. Also, the patches for versions released prior to Sitefinity CMS 6.3 are not available on the Sitefinity NuGet feed. If the project is using NuGet then clean the NuGet cache from the server and local machine to get the patched assembly.

    BEFORE downloading and applying the patch to a production environment, ensure that the following has been met:
    • Create a backup of the project and database.
    • Successfully patch a dev or testing environment in order to ensure that the site is working.

    References to Other Documentation:

    To clear the NuGet cache, see Microsoft documentation, Managing the NuGet cache https://docs.microsoft.com/en-us/nuget/consume-packages/managing-the-nuget-cache

    Progress Article(s):

    000071864 Where to find the hot fix, internal builds and patches for download
    External References
    CVE-2014-2217
    CVE-2017-11317
    CVE-2017-11357
    CVE-2017-9248


    *Hotfix will disable some controls and there is no reversion method. The only way to re-enable control is to uninstall, reinstall or upgrade. 
    Last Modified Date7/8/2020 1:04 PM
    Attachment 
    Files
    Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

    Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.