CVE-2017-9248

What Is Telerik UI for ASP.NET AJAX?

Telerik UI for ASP.NET AJAX (now Progress Telerik) is a comprehensive suite of UI components — grids, file uploaders, editors, dialogs — widely embedded in .NET web applications and CMS platforms including Sitefinity. Its RadAsyncUpload and dialog handler components expose a web endpoint via WebResource.axd?type=rau or Telerik.Web.UI.WebResource.axd that handles encrypted parameter exchanges between client and server. CVE-2017-9248 targets the encryption protecting those dialog parameters — weaknesses in key management allow an attacker to recover or brute-force the key, breaking the security of the dialog handler and enabling follow-on attacks.

Overview

CVE-2017-9248 is a cryptographic weakness (CWE-522) in Telerik.Web.UI.dll — the encryption key protecting the DialogParametersEncryptionKey (and potentially the application's ASP.NET MachineKey) is insufficiently protected, allowing an attacker to disclose or brute-force it. With the key recovered, an unauthenticated attacker can forge dialog parameters to bypass file upload restrictions, conduct XSS attacks, and compromise the ASP.NET ViewState. CVE-2017-9248 is closely related to a chain of Telerik vulnerabilities (CVE-2017-11317, CVE-2019-18935) all rooted in the same dialog handler endpoint. CISA added it to the KEV catalog in November 2021 as part of the initial launch batch.

Affected Versions

See the Telerik KB article for the exact version ranges and corresponding fix versions.

Technical Details

Root Cause: Weak Encryption Key Protection in Dialog Handler

CVE-2017-9248 is a cryptographic weakness (CWE-522) in the dialog parameter encryption used by Telerik.Web.UI.dll. The RadAsyncUpload control and file dialog handler encrypt their parameters using a key derived from the Telerik.Web.UI.DialogParametersEncryptionKey application setting — if this key is not explicitly set, the library falls back to a weak default or to the ASP.NET MachineKey. The encryption can be broken in multiple ways: default/predictable key values allow direct decryption; the endpoint leaks information that facilitates brute-force key recovery; in some configurations the MachineKey itself is exposed.

Consequences of key disclosure:

Once an attacker recovers the encryption key, they can:

• Bypass file upload restrictions — forge dialog parameters to upload arbitrary file types (including .aspx web shells) via RadAsyncUpload
• Cross-site scripting — inject arbitrary content into dialog parameter fields that render in browser context
• ViewState forgery — if the MachineKey is also recovered (since Telerik may use it as fallback), forge ASP.NET ViewState to tamper with server-side state
• Arbitrary file read/download — forge parameters that direct the file handler to serve files outside intended directories

Attack Characteristics

Exploitation Context

• Telerik chain exploitation: CVE-2017-9248 is typically exploited as step one in a chain: first recover the encryption key (9248), then use the key to forge upload parameters and upload a malicious .aspx file (CVE-2017-11317), achieving server-side code execution; later CVE-2019-18935 added a deserialization path through the same endpoint
• Wide deployment surface: Telerik UI for ASP.NET AJAX is embedded in thousands of .NET web applications and in Sitefinity CMS deployments used by government agencies, universities, and enterprises — making mass exploitation campaigns straightforward
• Government targeting: CISA and NSA have specifically called out CVE-2017-9248 (and the related Telerik chain) as exploited by APT actors targeting US government and defense contractor networks
• CISA KEV (2021): Added November 3, 2021 as part of the initial KEV catalog launch, reflecting confirmed active exploitation at the time

Remediation

1. Update Telerik UI for ASP.NET AJAX — upgrade to the version released by Progress in June 2017 or later that patches the cryptographic weakness; check the Telerik KB article for the specific fixed version for your product line.

2. Set an explicit DialogParametersEncryptionKey — configure a strong, randomly generated key in web.config under <appSettings> for Telerik.Web.UI.DialogParametersEncryptionKey; do not rely on defaults or the ASP.NET MachineKey.

3. Set a strong ASP.NET MachineKey — ensure the <machineKey> in web.config uses a cryptographically random 64+ byte hex key; a weak or default MachineKey exposes ViewState and enables further attacks.

4. Restrict the Telerik handler endpoint — if RadAsyncUpload is not used, disable the handler in web.config; if it is used, restrict access to authenticated users only where possible.

5. Audit and patch the full Telerik chain — if using Telerik UI, evaluate exposure to the full chain: CVE-2017-9248 → CVE-2017-11317 → CVE-2019-18935; ensure all are patched to prevent chain exploitation.