STP | Mitigate Cyber Vulnerability: CVE 2025 3600 (4380358)

Restituisci

Feedback inviato

Questo articolo ti è servito per risolvere il problema?

Seleziona valutazione

Titolo

STP | Mitigate Cyber Vulnerability: CVE 2025 3600
Descrizione

Cyber Vulnerability: CVE 2025 3600 with Telerik.Web.UI.dll
Causa

Cyber Vulnerability Published May 2025 - CVE-2025-3600

Risoluzione

Workaround steps to mitigate with Cyber Vulnerability: CVE 2025 3600

Download 3 of the files attached in this kb.
Open Internet Information Services (IIS) Manager and ungroup the Sites section.
Right click on the Central Administration Site>Explore. The virtual directory will be opened in Windows Explorer
Open (or create it if it doesn’t exist) the “App_Code” folder:
Copy the "TelerikLicence.cs" file from the Telerik folder to the “App_Code” folder:
Also, copy both DLLs from the Telerik folder to the “bin” folder:

Adding the new assembly binding redirection to the CA web.config file

PowerShell script Below can be used to check, just enter the path where the DLLs are found (in this case, the “bin” folder):

# Prompt for the DLL folder path
$dllPath = Read-Host "Enter the path where the Telerik DLL files are located, without quotes"

# Get all DLL files in the folder
$dllFiles = Get-ChildItem -Path $dllPath -Filter "*.dll"

# Function to extract assembly redirect info function Get-AssemblyRedirect {
param ($dll)

$assembly = [System.Reflection.AssemblyName]::GetAssemblyName($dll.FullName)
$name = $assembly.Name
$version = $assembly.Version.ToString()
$publicKeyTokenBytes = $assembly.GetPublicKeyToken()
$publicKeyToken = ($publicKeyTokenBytes | ForEach-Object { $_.ToString("x2") }) -join ""

return @"
<dependentAssembly>
<assemblyIdentity name="$name" publicKeyToken="$publicKeyToken" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-$version" newVersion="$version" /> </dependentAssembly>
"@
}

# Generate XML content
$redirects = foreach ($dll in $dllFiles) {
Get-AssemblyRedirect -dll $dll
}

# Display the result for copy-pasting
Write-Host "`nPaste this inside the <assemblyBinding> node in your web.config:`n" $redirects

Sample of of the result should be the output as below (Copy it):

b. Return to the CA virtual directory make a backup of "web.config" and open the "web.config" file with a text editor (e.g., Notepad):
c. Go to the end of the assembly Binding section (</assemblyBinding>) and paste the result just above from 7a. and save the "web.config"

Remove the old Telerik assembly from all the Application and Web Front End servers of the SharePoint farm:
1. From the SharePoint farm where StoragePoint was installed navigate to the following path
```
<StoragePoint installation path>\AppServer\x64\NET_4.0\
```
2. Open a command prompt (as Administrator) within this path and execute the following command:
```
gacutil -l Telerik.Web.UI 
```
  Sample output
3. Remove it by executing the following command:
```
gacutil -u Telerik.Web.UI 
```
  Sample output
4. Rerun command on Step 8b to verify.
  Sample output
5. For the Other Server in Farm where StoragePoint was installed. Copy the below from NET_4.0 folder(Default path below it may varies); skip to step 8g if no other server:
  - gacutil.exe
  -gacutil.wxe.config
  -gacutilrc.dll
```
C:\Program Files\Metalogix\StoragePoint\AppServer\x64\ 
```
6. Paste on the server of c:\Temp and execute 8b , 8c, 8d
7. Perform IIS reset and Sharepoint Timer services restart on all Server where the assemblies that were uninstalled by running below command line.
  *** this action will have downtime , do make sure its planned to avoid unnecessary alert
```
iisreset 
net stop sptimerv4 
net start sptimerv4 
```
StoragePoint should working fine if steps were properly performed and tested.