Home > Knowledge Base Articles > Vulnerability (CVE-2019-18935) Telerik UI for ASP.NET AJAX

Vulnerability (CVE-2019-18935) Telerik UI for ASP.NET AJAX

This article applies to the following products:

  • Messageware OWA Guard 2016
  • Messageware OWA Guard 2013
  • Messageware OWA Guard 2010
  • Messageware EPG 2016
  • Messageware EPG 2013

SUMMARY

A vulnerability outlined in (CVE-2019-18935) was identified in the third-party component of Telerik UI for ASP.NET AJAX.

The vulnerability itself requires the Cryptographic service on the Server to be hacked. This requires the attacker to have access to the plain-text keys from the web.config file on the server. If the attacker has access to these keys, that means there is a security breach on the server and within the organization.

This component is only used in the OWA Guard and EPG Web Admin programs. The OWA Guard and EPG server components for Microsoft Exchange servers are not affected.


SOLUTION

Apply one of the following solutions below to mitigate the vulnerability 

Solution A:

  • Disable the Telerik upload control in web.config 

Solution B:

  • Upgrade to OG/EPG version from 2020 and encrypt the web.config keys

Solution A

Connect to the server where OWA Guard or EPG Web Management is installed

Modify the web.config

Navigate to your program’s location

 

OWA GUARD

  • \Program Files\Messageware\OWA Guard Web Management\webadmin\

EPG

  • \Program Files\Messageware\EPG Web Management\webadmin
  • Edit the web.config file and locate the section <appSettings>
  • Add the following lines
<add key="Telerik.Web.DisableAsyncUploadHandler" value="True"/>

Solution B

Launch IIS Manager

Navigate to the following location in IIS Manager

  • Server > Sites > Default Web Site

Generate Encrypted Keys and Update the web.config

  • Select Machine Key
  • Select the Validation method to HMACSHA256
  • Set Encryption method set to Auto
  • Deselect the checkmarks for Validation Key and Decryption Key
    • Automatically generate at runtime
    • Generate a unique key for each application

  • Click Generate Keys from the Actions pane
  • Update the value of the 1st validation key in the appSetting section of the web.config
  • Click Generate Keys from the Actions pane again
  • Update the value of the 2nd validation key
    • Save the changes to web.config
  • Select Cancel to revert changes in IIS

 

Modify the web.config

Connect to the server where OWA Guard or EPG Web Management are installed and navigate to your program's location

 

OWA GUARD

  • \Program Files\Messageware\OWA Guard Web Management\webadmin\

EPG

  • \Program Files\Messageware\EPG Web Management\webadmin
  • Edit the web.config file and locate the section <appSettings>
  • Add the following lines
<add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR-1ST-VALIDATION-KEY" />
<add key="Telerik.Upload.ConfigurationHashKey" value="YOUR-2nd-VALIDATION-KEY " />

 

Open Command Prompt as Administrator

Choose the option to encrypt or decrypt the appSetting section

  • Navigate to the following location
    • \Windows\Microsoft.NET\Framework64\v4.0.30319\

To encrypt appSettings

aspnet_regiis -pef appSettings "C:\Program Files\Messageware\OWA Guard Web Management\webadmin" -prov "DataProtectionConfigurationProvider"

 

The command below should only be used to decrypt the appSettings section

To decrypt appSettings

aspnet_regiis -pdf appSettings "C:\Program Files\Messageware\OWA Guard Web Management\webadmin"