Overview
Progress Telerik UI for ASP.NET AJAX contains a critical .NET deserialization vulnerability in the RadAsyncUpload function that allows remote code execution when encryption keys are known or specific settings are exploited. This is a high-impact vulnerability affecting widely-used ASP.NET web components. The vulnerability was disclosed on December 11, 2019. CISA has identified CVE-2019-18935 as being exploited and is known to be used in ransomware campaigns.
Technical details
The RadAsyncUpload control in Progress Telerik UI for ASP.NET AJAX fails to properly validate and sanitize serialized .NET objects before deserialization. This allows attackers to craft malicious serialized payloads that, when deserialized by the application, can execute arbitrary code on the server. The vulnerability is particularly dangerous because it can be exploited remotely and affects a widely-deployed component used in many ASP.NET applications.
The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) andCWE-327 (Use of a Broken or Risky Cryptographic Algorithm) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary code with the privileges of the web application's process. This can lead to complete server compromise, data theft, lateral movement within the network, installation of malware, and denial of service. Given that this affects widely-deployed ASP.NET components, it poses significant risk to many organizations.
Mitigation and workarounds
1. Download the latest patched version from the Telerik website 2. Back up your current Telerik assemblies and configuration 3. Replace the Telerik.Web.UI.dll and related assemblies with patched versions 4. Recompile your ASP.NET application against the new assemblies 5. Redeploy the application 6. Test thoroughly to ensure compatibility The following versions include the necessary fixes: Telerik UI for ASP.NET AJAX 2019.3.1024 and later, Telerik UI for ASP.NET AJAX 2019.2.917 (patch for 2019.2.x), Telerik UI for ASP.NET AJAX 2018.3.1016 (patch for 2018.3.x).
As temporary workarounds: disable the radasyncupload control if not required for your application functionality; restrict network access to radasyncupload endpoints using firewall rules or ip whitelisting; implement web application firewall (waf) rules to detect and block malicious serialized payloads; remove or disable the asyncuploadhandler from handlers configuration if possible, and change default encryption keys to non-predictable values; however, this only provides limited protection.
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
