Sergey Nivens - Fotolia
Telerik web UI: Can the cryptographic weakness be mitigated?
A cryptographic weakness was discovered in the Telerik web UI. Expert Judith Myerson alerts readers about this weakness and the alternative options for companies to explore.
I recently read that the Telerik web UI contains a cryptographic weakness. What is this weakness? Should companies explore alternatives or can this weakness be mitigated?
Telerik web UI components are used to build Web Forms applications for any browser and any desktop or mobile device.
The cryptographic weakness of Telerik.Web.UI.dll is found in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1, and Sitefinity before version 10.0.6412.0. Telerik.Web.UI.dll does not properly protect an encryption key in Telerik.Web.UI.DialogParametersEncryptionKey or in MachineKey.
Since authentication is not required to gain access to the encryption key, it is easier for remote attackers to bypass it when they perform file uploads and downloads, as cross-site scripting attackers can leak the Machine Key or compromise the ASP.NET View State. Software vendors are vulnerable if they use Telerik web components for document processing, SharePoint web parts or integration.
Telerik advises that users manually install, deploy and configure the SharePoint 2013 Telerik web parts under SharePoint 2016 until an official MSI installation package is provided by Telerik. The SharePoint 2013 documentation can be used as a reference to create its own web parts. Both versions use some of the configuration management settings that are provided by the Microsoft .NET Framework. Four out of the more than 80 ASP controls used to implement web parts are available for free demonstration.
However, one drawback is that Windows 10 doesn't run with SharePoint 2013, as it's not always backward-compatible with earlier versions of Windows. Likewise, manual installations don't guarantee that a vulnerability to cryptographic weakness will not happen. The web parts alternatives from other sources may or may not be better depending on six factors:
- compatibility of the controls used in implementing web parts;
- controls pricing policy, either free or paid;
- user programming expertise, either novice or pro;
- implementing encryption keys;
- user access to Web Parts Mode, either restricted to Normal or unrestricted to Edit, Design and Catalog; and
- history of control patch-ups: too many or too few.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)