Sergey Nivens - Fotolia
I recently read that the Telerik web UI contains a cryptographic weakness. What is this weakness? Should companies explore alternatives or can this weakness be mitigated?
Telerik web UI components are used to build Web Forms applications for any browser and any desktop or mobile device.
The cryptographic weakness of Telerik.Web.UI.dll is found in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1, and Sitefinity before version 10.0.6412.0. Telerik.Web.UI.dll does not properly protect an encryption key in Telerik.Web.UI.DialogParametersEncryptionKey or in MachineKey.
Since authentication is not required to gain access to the encryption key, it is easier for remote attackers to bypass it when they perform file uploads and downloads, as cross-site scripting attackers can leak the Machine Key or compromise the ASP.NET View State. Software vendors are vulnerable if they use Telerik web components for document processing, SharePoint web parts or integration.
Telerik advises that users manually install, deploy and configure the SharePoint 2013 Telerik web parts under SharePoint 2016 until an official MSI installation package is provided by Telerik. The SharePoint 2013 documentation can be used as a reference to create its own web parts. Both versions use some of the configuration management settings that are provided by the Microsoft .NET Framework. Four out of the more than 80 ASP controls used to implement web parts are available for free demonstration.
However, one drawback is that Windows 10 doesn't run with SharePoint 2013, as it's not always backward-compatible with earlier versions of Windows. Likewise, manual installations don't guarantee that a vulnerability to cryptographic weakness will not happen. The web parts alternatives from other sources may or may not be better depending on six factors:
- compatibility of the controls used in implementing web parts;
- controls pricing policy, either free or paid;
- user programming expertise, either novice or pro;
- implementing encryption keys;
- user access to Web Parts Mode, either restricted to Normal or unrestricted to Edit, Design and Catalog; and
- history of control patch-ups: too many or too few.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn more about the Telerik mobile development suite
Read more on how Telerik helps develop mobile apps
Find out how the Docker REST API can be turned against enterprises
Dig Deeper on Disk and file encryption tools
Related Q&A from Judith Myerson
An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what ... Continue Reading
Cisco's Webex Meetings platform had to be re-patched after researchers found the first one was failing. Discover what went wrong with the first patch... Continue Reading
The TP-Link EAP Controller for Linux was recently found to be vulnerable to attacks. Learn from Judith Myerson what this means for users and how it ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.