High
CVE-2019-18935
Add Reference
Description
URL
Type
CVE-2019-18935
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityHigh
Technical Analysis
This vulnerability originally outlined by bishopfox is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of PrivateKeyForEncryptionOfRadAsyncUploadConfiguration
that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.
Users should change their encryption key (as recommended by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.
Mitigation Strength set to 3/5 due to it being dependent on the strength of the password.
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
We’re consistently seeing reports of this vulnerability being exploited in the wild and used to compromise organizations. I’m upping its attacker value rating based on the fact that evidently attackers are finding value in it.
Technical Analysis
This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
Oh and the Metasploit module for this just landed recently by the way at https://github.com/rapid7/metasploit-framework/pull/14229 so Metasploit does have the capability to exploit this now.
CVSS V3 Severity and Metrics
General Information
References
Miscellaneous
Additional Info
Technical Analysis
Report as Exploited in the Wild
What do we mean by "exploited in the wild"?
By selecting this, you are verifying to the AttackerKB community that either you, or a reputable source (example: a security vendor or researcher), has observed an active attempt by attackers, or IOCs related, to exploit this vulnerability outside of a research environment.
A vulnerability should also be considered "exploited in the wild" if there is a publicly available PoC or exploit (example: in an exploitation framework like Metasploit).
I wonder if versions after R2 2017 SP1 that were upgraded from previous versions randomly generate an encryption key anyway. You’d think they would have at least implemented logic to detect the default being in use and to automatically change it to a random version. That would make later versions not vulnerable anyway.