CVE-2017-11317

What Is Telerik RadAsyncUpload?

Telerik UI for ASP.NET AJAX (now Progress Telerik UI for ASP.NET AJAX) is a widely used commercial component library for Microsoft .NET web applications. The RadAsyncUpload component provides file upload functionality for ASP.NET WebForms applications — used by thousands of enterprise applications for document management, file sharing, and content management systems. The RadAsyncUpload handler uses cryptographic keys to sign and validate upload requests; if these keys can be predicted or bypassed, an attacker can upload arbitrary files including web shells, achieving remote code execution.

Overview

CVE-2017-11317 is an inadequate encryption strength vulnerability in the Telerik RadAsyncUpload component that allows unauthenticated file upload. The RadAsyncUpload handler uses a cryptographic key derived from the application's MachineKey to validate upload requests; if the application uses a default or predictable MachineKey (common in many ASP.NET deployments), an attacker can forge valid upload requests and upload arbitrary files to the server. Patched in Telerik UI for ASP.NET AJAX R2 2017 SP2 (2017.2.711). CVE-2017-11317 is related to CVE-2017-11357 and the more severe deserialization vulnerability CVE-2019-18935 that targets the same RadAsyncUpload component. CISA added CVE-2017-11317 to the KEV catalog in April 2022.

Affected Versions

Technical Details

Root Cause: Predictable or Weak MachineKey Enables Upload Forgery

CVE-2017-11317 is an inadequate encryption strength vulnerability (CWE-326) in the Telerik RadAsyncUpload handler (Telerik.Web.UI.WebResource.axd). The component uses the ASP.NET MachineKey to derive a symmetric encryption key for signing upload metadata. The vulnerability arises because:

1. Default MachineKey: Many ASP.NET applications run with a default or machine-generated MachineKey that is not explicitly set in web.config — making it predictable or discoverable
2. Weak key derivation: Even when MachineKey is set, the derivation may use weak parameters exploitable via brute force or cryptanalysis
3. Upload bypass: With a known or guessed key, an attacker can craft a valid signed upload request that bypasses the RadAsyncUpload security checks
4. Arbitrary file placement: The forged request allows uploading files to locations on the server with names and extensions of the attacker's choice — including .aspx web shells in web-accessible directories

Relationship to the Telerik vulnerability family:

These three CVEs represent an escalating series of vulnerabilities in the same component, with CVE-2019-18935 achieving direct RCE via deserialization and being used in numerous high-profile attacks on US government and enterprise targets.

Attack Characteristics

Discovery

Discovered and reported to Progress/Telerik, resulting in the July 2017 patch release.

Exploitation Context

• US government targeting: The Telerik RadAsyncUpload vulnerability family (CVE-2017-11317, CVE-2017-11357, CVE-2019-18935) was used extensively in attacks against US federal agencies, state/local governments, and defense contractors; CISA published an alert specifically about Telerik exploitation in US government networks
• Default MachineKey exposure: A significant percentage of .NET applications use default or auto-generated MachineKeys that are not explicitly secured; tools that enumerate and test common default MachineKey values are widely available, making exploitation practical at scale
• Web shell deployment: Successful exploitation typically results in an ASPX web shell being uploaded to the application's web-accessible directory, providing persistent remote command execution
• Precursor to more severe attacks: CVE-2017-11317 exploitation often served as an initial foothold that attackers then escalated using CVE-2019-18935 for direct code execution without needing a file upload step
• CISA KEV (2022): Added April 2022 as part of CISA's broader campaign to highlight Telerik vulnerabilities in federal networks

Remediation

1. Upgrade Telerik UI — update to Telerik UI for ASP.NET AJAX R2 2017 SP2 (2017.2.711) or later, and also apply patches for CVE-2017-11357 (R3 2017 SP1, 2017.3.1020) and CVE-2019-18935 (2020.1.114).

2. Configure a strong MachineKey — explicitly set a cryptographically strong MachineKey in web.config to prevent brute-force or default-key attacks:

   <machineKey validationKey="[strong-random-key]"
               decryptionKey="[strong-random-key]"
               validation="HMACSHA256" />
   

3. Disable RadAsyncUpload if not needed — if the application does not use file upload functionality, disable the RadAsyncUpload HTTP handler by removing it from web.config.

4. Block access to Telerik handler — if the upload handler is not needed externally, block HTTP access to /Telerik.Web.UI.WebResource.axd?type=rau at the WAF or web server level.

5. Scan for deployed web shells — check web-accessible directories for recently created .aspx, .ashx, or .asmx files that were not part of the application deployment; these may indicate a successful upload exploitation.