Security Vulnerability Bulletin: Telerik Web UI Controls

Takeshi EtoWe posted this content over on our DiscountASP.NET Blog but we port it over here because we want all our customers to know about a recent rise of hacking activities associated with the Telerik Web UI Control. If you are using Sitefinity, DotNetNuke or have a custom application that uses Telerik controls, please read on.

Over the past few months, we have seen a large number of hacking attempts against our customer’s sites using an old vulnerability in the Telerik Web UI control that was widely used in different applications like DotNetNuke, Sitefinity and custom built ASP.NET sites. Hackers are able to compromise sites using this exploit because many site owners never patched their applications. One codename given to this hacking attack is Blue Mockingbird. Telerik has recently written about the increase in hacking activity in their blog and provides some guidance.

What hackers are doing
Different individual hackers and hacker groups are using this exploit and they are doing different things. Over the past months, we’ve seen the following:

Mitigating hacking activities
Mitigating this vulnerability has proven to be difficult, but we have been observing and learning. Now, along with our intrusion prevention detection system, security tweaks on the webservers, and staff training, we have been able to protect our customers and our infrastructure.

Hacking activity background
We first noticed there was an issue when our intrusion detection system indicated a potentially malicious process being started on one of our webservers. Our team investigated and pinpointed the site that was compromised, determined how the site was compromised, and addressed the hack.

We soon started to notice similar incidents and, after further investigation, some of the flagged activities turned out to be legitimate activities, and other flagged activities were hacking attempts. The hacking attempts started to increase to almost daily at its peak.

Why the hack is alarming
What makes this hack alarming is that it uses built-in functionality of the Telerik Web UI control to upload a payload to the compromised site. The control functionality is also used by the website so it is difficult to tell which use case is legitimate and which use case is a hacking attempt.

To make things harder, many times the hacking activity uploads a payload that does not interfere with the website and sometimes the payload appears to do nothing. We assume that the payload will “wake up” when the hacker decides to activate it at a future time. Therefore, the website owner never knows their site got hacked and the hosting provider will never know of the hack unless they specifically look for this type of activity.

Another thing we’ve encountered recently is site’s being compromised but the hacker does not upload anything and is just probing. We assume that the hacker is logging which sites are “hackable” for some future plan. So unless you specifically detect the activity, no one would know about the breach.

What website owners need to do
In order to stop this attack from occurring, website owners will need to patch the Telerik Web UI component within their application. 

If your site is using the Telerik Web UI, check the table below on what actions you should take depending on where you host your website.

ApplicationSite hosted at EverleapSite hosted elsewhere
DotNetNukeContact Everleap technical support and we’ll check if your site is vulnerable. If vulnerable, our staff can patch and secure your DNN instance.Get more information about the Telerik vulnerability and DotNetNuke here and you will need to update and patch your DNN instance.
SitefinityContact Everleap technical support and we’ll check if your site is vulnerable. If vulnerable, our staff will advise you on the next steps.Check if you are using an insecure Sitefinity version. If your Sitefinity version is insecure, then contact Sitefinity.
Custom ApplicationsContact Everleap technical support and we can check if your site is vulnerable. If vulnerable, we’ll provide guidance on the next steps.Check if you are using an insecure Telerik Web UI version. Audit your website files and make sure that only files you uploaded are on the server. If you own the Telerik license, then contact Telerik and patch your site. If your developer owns the Telerik license, then have them contact Telerik and patch your site.

Feedback, Comments, Questions?
This is a serious security issue for Windows hosting customers. If you have any feedback, comments or questions, please do not hesitate to reach out to us.

Visit Everleap to learn more about ASP.NET Cloud Hosting

One Response
  • erererere Reply

    Good joobs

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

oui décor