CVE-2017-9248
Published: 03 July 2017
Summary
CVE-2017-9248 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Progress Sitefinity. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-13 (Cryptographic Protection).
Deeper analysis
CVE-2017-9248 affects Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX versions prior to R2 2017 SP1 and Sitefinity versions prior to 10.0.6412.0. The component fails to adequately protect the Telerik.Web.UI.DialogParametersEncryptionKey or the ASP.NET MachineKey, enabling remote attackers to bypass cryptographic protections as classified under CWE-522.
Unauthenticated attackers can exploit the flaw over the network to obtain the MachineKey, facilitating arbitrary file uploads or downloads, cross-site scripting, or compromise of ASP.NET ViewState, resulting in a CVSS 3.1 base score of 9.8.
Telerik security advisories and knowledge-base articles direct administrators to apply the R2 2017 SP1 update for UI for ASP.NET AJAX or version 10.0.6412.0 for Sitefinity to restore proper key protection.
Public exploit code for the issue has been published, confirming the cryptographic weakness can be leveraged in practice.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-18184
Vulnerability details
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey…
more
leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires proper establishment, protection, and management of cryptographic keys such as the exposed Telerik DialogParametersEncryptionKey and ASP.NET MachineKey.
Mandates use of validated cryptography to protect sensitive data and mechanisms, which the CVE bypasses via key leakage.
Requires timely installation of vendor patches (R2 2017 SP1 / 10.0.6412.0) that restore correct key protection in Telerik.Web.UI.dll.