CVE-2019-18935
Published: 11 December 2019
Summary
CVE-2019-18935 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Telerik Ui For Asp.Net Ajax. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
Progress Telerik UI for ASP.NET AJAX through version 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function, tracked as CVE-2019-18935 and assigned CWE-502. The flaw permits remote code execution when the component's encryption keys are known, which can occur through prior issues such as CVE-2017-11317 or CVE-2017-11357 or by other means. The vulnerability received a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required privileges or user interaction.
An attacker who can reach the affected RadAsyncUpload endpoint and possesses the encryption keys can supply a malicious serialized object that the server deserializes, resulting in arbitrary code execution on the underlying system. Public exploit code and technical write-ups demonstrate practical attack chains that leverage this deserialization path once key material is obtained.
Later releases address the issue through configuration changes: version 2020.1.114 introduces a default setting that blocks the exploit, while 2019.3.1023 added a non-default setting that can prevent exploitation in that specific release. Public repositories and proof-of-concept materials, including cryptographic tooling and deserialization payloads targeting RadAsyncUpload, have been published that illustrate the attack requirements and impact.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-8608
Vulnerability details
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result…
more
in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks malicious serialized objects supplied to RadAsyncUpload by validating untrusted input before .NET deserialization occurs.
Enforces the secure default or non-default configuration settings introduced in 2020.1.114 and 2019.3.1023 that disable the vulnerable deserialization path.
Protects the Telerik encryption keys whose disclosure (via CVE-2017-11317 etc.) is required to craft a valid malicious payload for this deserialization flaw.