Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability

critical Nessus Plugin ID 135970

Synopsis

A web application development suite installed on the remote Windows host is affected by a deserialization vulnerability.

Description

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

Solution

Upgrade to Telerik UI for ASP.NET AJAX version R3 2019 SP1 (2019.3.1023) or later, and enable the type whitelisting feature of RadAsyncUpload.

See Also

http://www.nessus.org/u?de2ce6ef

http://www.nessus.org/u?be6fd178

http://www.nessus.org/u?57e10c1e

Plugin Details

Severity: Critical

ID: 135970

File Name: telerik_ui_for_aspnet_ajax_CVE-2019-18935.nasl

Version: 1.7

Type: local

Agent: windows

Family: Windows

Published: 4/24/2020

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: CVE-2019-18935

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:telerik:ui_for_asp.net_ajax

Required KB Items: installed_sw/Telerik UI for ASP.NET AJAX

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/9/2019

Vulnerability Publication Date: 12/9/2019

CISA Known Exploited Dates: 5/3/2022

Reference Information

CVE: CVE-2019-18935

IAVA: 2020-A-0219