High
CVE-2019-18935
CVE-2019-18935
Description
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
Add Assessment
Technical Analysis
This vulnerability originally outlined by bishopfox is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of PrivateKeyForEncryptionOfRadAsyncUploadConfiguration that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.
Users should change their encryption key (as recommended by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.
Mitigation Strength set to 3/5 due to it being dependent on the strength of the password.
Technical Analysis
We’re consistently seeing reports of this vulnerability being exploited in the wild and used to compromise organizations. I’m upping its attacker value rating based on the fact that evidently attackers are finding value in it.
Technical Analysis
This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
Oh and the Metasploit module for this just landed recently by the way at https://github.com/rapid7/metasploit-framework/pull/14229 so Metasploit does have the capability to exploit this now.
CVSS V3 Severity and Metrics
General Information
Metasploit Modules
References
Miscellaneous
I wonder if versions after R2 2017 SP1 that were upgraded from previous versions randomly generate an encryption key anyway. You’d think they would have at least implemented logic to detect the default being in use and to automatically change it to a random version. That would make later versions not vulnerable anyway.