Telerik UI for ASP.NET AJAX contains .NET deserialization vulnerability

CVE-2019-18935

What is CVE-2019-18935?

CVE-2019-18935 is a vulnerability found in Progress Telerik UI for ASP.NET AJAX, specifically affecting versions up to 2019.3.1023. This product is designed to enhance the user interface of ASP.NET web applications, providing a range of components for developers. The vulnerability centers around a .NET deserialization flaw in the RadAsyncUpload function, which, if exploited, could allow an attacker to execute arbitrary code remotely. This presents a significant risk for organizations as it could lead to unauthorized access, data theft, and disruption of services.

Technical Details

The vulnerability occurs due to improper handling of .NET deserialization in the affected Telerik component. If an attacker possesses the appropriate encryption keys—potentially made accessible through previous vulnerabilities (CVE-2017-11317 or CVE-2017-11357)—they could leverage this flaw to craft malicious payloads. This could lead to the execution of code on the server hosting the application. In newer versions (starting from 2020.1.114), default settings have been adjusted to mitigate the risk, but versions prior to this required specific configuration changes to prevent exploitation.

Potential impact of CVE-2019-18935

1. Remote Code Execution: Exploitation of this vulnerability allows attackers to execute arbitrary code on the affected server, which can be leveraged to gain full control over the application and its environment.

2. Data Breaches: Unauthorized access gained through this vulnerability can lead to significant data breaches, where sensitive information can be stolen, compromised, or manipulated.

3. Operational Disruption: Successful exploitation could enable attackers to disrupt application functionality, resulting in downtime and potential financial loss for organizations reliant on these web applications.

References