Active Exploitation of CVE-2019-18935

THE THREAT

eSentire has identified active exploitation of the Telerik UI vulnerability, tracked as CVE-2019-18935. The Telerik vulnerability allows for the possibility of remote code execution. In the case identified by eSentire, the vulnerability was exploited in order to deliver a crypto-currency mining malware, but exploitation could also allow threat actors to deploy any malicious content, including ransomware. It is highly recommended that organizations apply the official Telerik patches in order to avoid impact.

What we’re doing about it

• MVS (Formerly esRECON) has a local plugin to identify this vulnerability
• Known IP addresses have been added to the eSentire Blacklist
• esENDPOINT rules are under active development

What you should do about it

• After performing a business impact review, apply the official security patches provided by Telerik [1]
• Follow the vendor recommendations for configurations relating to whitelisting [2]

Additional information

CVE-2019-18935 was originally released in December of 2019 and is linked to a deserialization issue with .NET JavaScriptSerializer through RadAsyncUpload [3]. Public exploitation of the vulnerability was first reported in mid-May of 2020. Successful exploitation of CVE-2019-18935 requires the use of additional vulnerabilities or prior knowledge of the encryption keys.

Affected Products:

• Progress Telerik UI for ASP.NET AJAX versions prior to 2020.1.114

References:

[1] https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization

[2] https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security#recommended-settings

[3] https://www.cisecurity.org/advisory/a-vulnerability-in-telerik-ui-for-aspnet-could-allow-for-arbitrary-code-execution_2020-015/