External risk intelligence

Telerik UI for ASP.NET AJAX: Remote Code Execution Risk

CVE advisoryKnown Exploit

CVE-2019-18935

Progress Telerik UI for ASP.NET AJAX has a vulnerability in RadAsyncUpload that can allow attackers to execute code remotely. This could lead to unauthorized access and compromise of sensitive business data. Affected organizations face significant business risk.

4Halo Surface Signal

Deserialization

Telerik Ui For Asp Net Ajax

2011.1.315 to 2020.1.114

External exposure likelihood

Halo Surface Signal score for CVE-2019-18935

This vulnerability affects Telerik UI for ASP.NET AJAX, a component frequently embedded in public-facing web applications to provide file upload functionality. Because the affected RadAsyncUpload control is often exposed to end-users on public web interfaces to facilitate file transfers, it is commonly reachable from the internet in standard web application deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Progress Telerik UI for ASP.NET AJAX contains a vulnerability within its RadAsyncUpload function that allows for the execution of arbitrary code. This occurs when the application processes untrusted data, potentially enabling attackers to compromise the server. The impact can extend to unauthorized access and manipulation of sensitive business information.

  • Vulnerable RadAsyncUpload function
  • Untrusted data deserialization
  • Remote code execution and data compromise

Attack Path

How an attacker could exploit the issue

The Progress Telerik UI for ASP.NET AJAX component contains a .NET deserialization vulnerability within its RadAsyncUpload function. This vulnerability can be exploited if an attacker knows the encryption keys, which can occur if other related vulnerabilities are present or through other means. Successful exploitation allows an attacker to execute remote code.

  • Publicly accessible web applications using the component.
  • Attacker sends specially crafted data.
  • Remote code execution on the server.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Progress Telerik UI for ASP.NET AJAX allows attackers to execute arbitrary code on a server. It can be exploited remotely if encryption keys are known, potentially leading to significant data compromise or system control. The vulnerability has been observed in attacks against a U.S. federal agency. Given its exploitability and potential for severe damage, organizations using the affected software should treat this as a high-priority issue.

  • Attackers with low skill level.
  • Remote access without authentication.
  • Significant business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Progress Telerik UI for ASP.NET AJAX could allow attackers to execute code remotely. The risk is associated with the RadAsyncUpload function, particularly when encryption keys are compromised or otherwise exposed. Exploitation may lead to unauthorized code execution on affected systems, posing a significant business risk.

  • Find all Progress Telerik UI for ASP.NET AJAX assets.
  • Reduce exposure by restricting access to the RadAsyncUpload function.
  • Apply vendor updates, verify the fix, and monitor for related incidents.

Frequently asked questions

What type of software is affected by CVE-2019-18935, and what is its primary function related to this vulnerability?

Progress Telerik UI for ASP.NET AJAX is the affected software. The vulnerability lies within its RadAsyncUpload function, which is often used for file uploads in web applications. This function's .NET deserialization process can be exploited.

What is the weakness class for CVE-2019-18935, and how does it lead to remote code execution?

The weakness class is CWE-502, which relates to Deserialization of Untrusted Data. This means the software processes data in a way that allows an attacker to execute code by providing specially crafted serialized data. This is particularly risky when encryption keys for the data are known.

How can an attacker trigger the vulnerability in RadAsyncUpload, and what is the scope of impact?

An attacker can trigger the vulnerability by sending specially crafted data to the RadAsyncUpload function. Exploitation is possible when the encryption keys are known, either through other vulnerabilities or by other means. Successful exploitation allows for remote code execution on the server, with a 'S:U' (Shared/Unchanged) scope, meaning the attacker can impact the server itself without affecting other systems.

What is the relevance of CVE-2019-18935, considering it is listed on the Known Exploited Vulnerabilities (KEV) catalog?

The presence of CVE-2019-18935 on the KEV catalog indicates it has been actively exploited in the wild, posing a significant threat. A U.S. federal agency was reportedly targeted using this vulnerability, highlighting its potential for serious compromise. The 'Likely' halo surface signal further emphasizes its accessibility and common use in public-facing web applications.

What practical steps should be taken to address CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX?

Organizations should identify all instances of Progress Telerik UI for ASP.NET AJAX. It is recommended to restrict access to the RadAsyncUpload function where possible. Applying vendor-provided updates is crucial, followed by verification of the fix and continuous monitoring for any related security incidents.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified