CVE-2019-18935

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

Recent assessments:

zeroSteiner at February 05, 2020 6:37pm UTC reported:

This vulnerability originally outlined by bishopfox is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of PrivateKeyForEncryptionOfRadAsyncUploadConfiguration that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.

Users should change their encryption key (as recommended by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.

Mitigation Strength set to 3/5 due to it being dependent on the strength of the password.

ccondon-r7 at October 13, 2020 4:47pm UTC reported:

This vulnerability originally outlined by bishopfox is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of PrivateKeyForEncryptionOfRadAsyncUploadConfiguration that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.

Users should change their encryption key (as recommended by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.

Mitigation Strength set to 3/5 due to it being dependent on the strength of the password.

gwillcox-r7 at October 20, 2020 6:59pm UTC reported:

This vulnerability originally outlined by bishopfox is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of PrivateKeyForEncryptionOfRadAsyncUploadConfiguration that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.

Users should change their encryption key (as recommended by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.

Mitigation Strength set to 3/5 due to it being dependent on the strength of the password.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 4