Multiple Progress Telerik UI Vulnerabilities Exploited in the Wild

Description

FortiGuard Labs recently observed that multiple vulnerabilities (CVE-2019-18935, CVE-2017-11317 and CVE-2017-11357) in Progress Telerik UI (User Interface) are being exploited in chain to achieve arbitrary code execution on a remote machine. On March 15th, CISA released an advisory that multiple threat actors exploited unpatched IIS servers in a U.S. federal agency.


Why is this Significant?

This is significant because three Progress Telerik UI vulnerabilities are being exploited in chain for arbitrary code execution. On March 15th, 2023, CISA released an advisory that multiple threat actors exploited vulnerable IIS servers in a U.S. federal agency. As such, the patches need to be applied as soon as possible.


What is CVE-2019-18935?

CVE-2019-18935 is a critical deserialization of untrusted data vulnerability in the RadAsyncUpload functionProgress function of Telerik UI for ASP.NET AJAX, a suite of UI components for web applications. Successful exploitation of the vulnerability allows remote attackers to perform arbitrary file uploads or execute arbitrary code when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means.


The vulnerability affects Telerik UI versions prior to R1 2020 (2020.1.114) and has a CVSS base score of 9.8.


What is CVE-2017-11317?

CVE-2017-11317 is an unrestricted file upload vulnerability in Telerik UI for ASP.NET AJAX. It leverages weakness RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.


The vulnerability affects Telerik UI versions prior to R1 2020 (2020.1.114) and has a CVSS base score of 9.8.


What is CVE-2017-11357?

CVE-2017-11357 is an arbitrary file upload vulnerability in Telerik UI for ASP.NET AJAX components. It is an insecure direct object reference vulnerability in the RadAsyncUpload function, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code by manipulating user input.

The vulnerability affects Telerik UI versions prior to R1 2020 (2020.1.114) and has a CVSS base score of 9.8.


Has the Vendor Released an Advisory for CVE-2019-18935, CVE-2017-11317 and CVE-2017-11357?

Yes. See the Appendix for a link to "Unrestricted File Upload in RadAsyncUpload", "Allows JavaScriptSerializer Deserialization" and "Insecure Direct Object Reference in RadAsyncUpload".


Has the Vendor Released a Patch for the Vulnerabilities?

Yes. Patches are available for all three vulnerabilities.


What is the Status of Protection?

FortiGuard Labs has the following IPS signature in place for CVE-2019-18935, CVE-2017-11317 and CVE-2017-11357:

  • Telerik.Web.UI.RadAsyncUpload.Handling.Arbitrary.File.Upload

description-logoOutbreak Alert

Versions prior to R1 2020 (2020.1.114) are susceptible to remote code execution attacks on affected web servers of Telerik User Interface (UI) for ASP-NET due to a deserialization vulnerability found in RadAsyncUpload function. FortiGuard Labs continue seeing high exploitation activity of these old vulnerabilities.

View the full Outbreak Alert Report