CVE-2019-18935

Description

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

Add Assessment

zeroSteiner (340)

February 05, 2020 6:37pm UTC (4 years ago)•Edited 4 years ago

Ratings

Attacker Value

Medium

Exploitability

High

Technical Analysis

This vulnerability originally outlined by bishopfox is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of PrivateKeyForEncryptionOfRadAsyncUploadConfiguration that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.

Users should change their encryption key (as recommended by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.

Mitigation Strength set to 3/5 due to it being dependent on the strength of the password.

See More &1 replySee Less

busterb (317) February 06, 2020 3:53am UTC (4 years ago)•Edited 4 years ago

I wonder if versions after R2 2017 SP1 that were upgraded from previous versions randomly generate an encryption key anyway. You’d think they would have at least implemented logic to detect the default being in use and to automatically change it to a random version. That would make later versions not vulnerable anyway.

ccondon-r7 (282)

October 13, 2020 4:47pm UTC (4 years ago)•Edited 4 years ago

Ratings

Attacker Value

Very High

Exploitability

High

Easy to weaponize

Technical Analysis

We’re consistently seeing reports of this vulnerability being exploited in the wild and used to compromise organizations. I’m upping its attacker value rating based on the fact that evidently attackers are finding value in it.

gwillcox-r7 (579)

October 20, 2020 6:59pm UTC (4 years ago)•

Technical Analysis

This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

Oh and the Metasploit module for this just landed recently by the way at https://github.com/rapid7/metasploit-framework/pull/14229 so Metasploit does have the capability to exploit this now.