Sergey Nivens - Fotolia
I recently read that the Telerik web UI contains a cryptographic weakness. What is this weakness? Should companies explore alternatives or can this weakness be mitigated?
Telerik web UI components are used to build Web Forms applications for any browser and any desktop or mobile device.
The cryptographic weakness of Telerik.Web.UI.dll is found in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1, and Sitefinity before version 10.0.6412.0. Telerik.Web.UI.dll does not properly protect an encryption key in Telerik.Web.UI.DialogParametersEncryptionKey or in MachineKey.
Since authentication is not required to gain access to the encryption key, it is easier for remote attackers to bypass it when they perform file uploads and downloads, as cross-site scripting attackers can leak the Machine Key or compromise the ASP.NET View State. Software vendors are vulnerable if they use Telerik web components for document processing, SharePoint web parts or integration.
Telerik advises that users manually install, deploy and configure the SharePoint 2013 Telerik web parts under SharePoint 2016 until an official MSI installation package is provided by Telerik. The SharePoint 2013 documentation can be used as a reference to create its own web parts. Both versions use some of the configuration management settings that are provided by the Microsoft .NET Framework. Four out of the more than 80 ASP controls used to implement web parts are available for free demonstration.
However, one drawback is that Windows 10 doesn't run with SharePoint 2013, as it's not always backward-compatible with earlier versions of Windows. Likewise, manual installations don't guarantee that a vulnerability to cryptographic weakness will not happen. The web parts alternatives from other sources may or may not be better depending on six factors:
- compatibility of the controls used in implementing web parts;
- controls pricing policy, either free or paid;
- user programming expertise, either novice or pro;
- implementing encryption keys;
- user access to Web Parts Mode, either restricted to Normal or unrestricted to Edit, Design and Catalog; and
- history of control patch-ups: too many or too few.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn more about the Telerik mobile development suite
Read more on how Telerik helps develop mobile apps
Find out how the Docker REST API can be turned against enterprises
Dig Deeper on Disk and file encryption tools
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading