Aperçu
Progress Telerik UI for ASP.NET AJAX contains a critical .NET deserialization vulnerability in the RadAsyncUpload function that allows remote code execution when encryption keys are known or specific settings are exploited. This is a high-impact vulnerability affecting widely-used ASP.NET web components. La vulnérabilité a été divulguée le December 11, 2019. CISA a identifié CVE-2019-18935 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The RadAsyncUpload control in Progress Telerik UI for ASP.NET AJAX fails to properly validate and sanitize serialized .NET objects before deserialization. This allows attackers to craft malicious serialized payloads that, when deserialized by the application, can execute arbitrary code on the server. The vulnerability is particularly dangerous because it can be exploited remotely and affects a widely-deployed component used in many ASP.NET applications.
La vulnérabilité est classifiée comme CWE-502 (Deserialization of Untrusted Data) etCWE-327 (Use of a Broken or Risky Cryptographic Algorithm) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary code with the privileges of the web application's process. This can lead to complete server compromise, data theft, lateral movement within the network, installation of malware, and denial of service. Given that this affects widely-deployed ASP.NET components, it poses significant risk to many organizations.
Mitigation et contournements
1. Download the latest patched version from the Telerik website 2. Back up your current Telerik assemblies and configuration 3. Replace the Telerik.Web.UI.dll and related assemblies with patched versions 4. Recompile your ASP.NET application against the new assemblies 5. Redeploy the application 6. Test thoroughly to ensure compatibility Les versions suivantes incluent les correctifs nécessaires : Telerik UI for ASP.NET AJAX 2019.3.1024 and later, Telerik UI for ASP.NET AJAX 2019.2.917 (patch for 2019.2.x), Telerik UI for ASP.NET AJAX 2018.3.1016 (patch for 2018.3.x).
Comme contournements temporaires : disable the radasyncupload control if not required for your application functionality; restrict network access to radasyncupload endpoints using firewall rules or ip whitelisting; implement web application firewall (waf) rules to detect and block malicious serialized payloads; remove or disable the asyncuploadhandler from handlers configuration if possible, et change default encryption keys to non-predictable values; however, this only provides limited protection.
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
