Vulnerabilities > CVE-2019-18935 - Deserialization of Untrusted Data vulnerability in Telerik UI for Asp.Net Ajax
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
id | EDB-ID:47793 |
last seen | 2019-12-18 |
modified | 2019-12-18 |
published | 2019-12-18 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/47793 |
title | Telerik UI - Remote Code Execution via Insecure Deserialization |
Nessus
NASL family | Windows |
NASL id | TELERIK_UI_FOR_ASPNET_AJAX_CVE-2019-18935.NASL |
description | Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.) |
last seen | 2020-05-23 |
modified | 2020-04-24 |
plugin id | 135970 |
published | 2020-04-24 |
reporter | This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/135970 |
title | Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability |
code |
|
Related news
- Blue Mockingbird Monero-Mining Campaign Exploits Web Apps (source)
- Hackers exploit three-year-old Telerik flaws to deploy Cobalt Strike (source)
- US federal agency hacked using old Telerik bug to steal data (source)
- Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency (source)
- Progress warns of critical RCE bug in Telerik Report Server (source)
- Progress discloses second critical flaw in Telerik Report Server in as many months (source)
References
- https://www.telerik.com/support/whats-new/release-history
- https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization
- https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html
- https://github.com/bao7uo/RAU_crypto
- https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui
- https://github.com/noperator/CVE-2019-18935
- http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html
- https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/
- https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29