Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability

critical Web App Scanning Plugin ID 112521

Synopsis

Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability

Description

According to its self-reported version number, the version of Telerik UI for ASP.NET AJAX prior to 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Telerik UI for ASP.NET AJAX version R3 2019 SP1 (2019.3.1023) or later, and enable the type whitelisting feature of RadAsyncUpload.

See Also

https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security

https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization

Plugin Details

Severity: Critical

ID: 112521

Type: remote

Published: 7/1/2020

Updated: 3/14/2023

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-18935

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2019-18935

Vulnerability Information

CPE: cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: No known exploits are available

Patch Publication Date: 12/11/2019

Vulnerability Publication Date: 12/11/2019

CISA Known Exploited Vulnerability Due Dates: 5/3/2022

Reference Information

CVE: CVE-2019-18935