Arbitrary code execution vulnerability in Telerik UI for ASP.NET

The developers of Telerik UI for ASP.NET, the open source application framework for dynamic sites web development, received the report of a vulnerability that, if exploited, would allow an attacker to execute arbitrary code. The flaw was reported by an information security firm whose name was not disclosed.

As mentioned in the previous paragraph, the
flaw allows arbitrary code to run in the context of a high-privileged process.
Depending on the privileges associated with the application, a threat actor
might deploy malicious activities such as installing programs, accessing and
modifying data, and even creating full-privileged user accounts. It should be
noted that if applications are configured with reduced privileges, the actual
impact of this vulnerability could decrease significantly.

In the report, the anonymous information
security firm mentions that the vulnerability exists due to a deserialization
issue with the .NET JavaScriptSerializer using RadAsyncUpload, an issue that
can be exploited to lead to arbitrary
code execution
on the server, all in the context of a w3wp.exe process.

All Progress Telerik UI systems for ASP.NET AJAX
versions prior to v2020.1.114 are affected by the vulnerability. The risk lies
primarily in environments of large companies and government organizations. The
probabilities of exploitation are reduced in small and medium-sized companies,
as well as in domestic environments.

The vulnerability was acknowledged and addressed by developers as soon as they received the report from the information security firm. According to the International Institute of Cyber Security (IICS), the main recommendations to prevent exploitation risks include:

  • Analysis
    of vulnerable systems and immediate installation of security patches released
    by Telerik
  • Verify
    that other web applications that use Telerik user interface are also updated to
    their latest versions
  • Running
    all software as an unprivileged user (without administrative rights) to
    decrease the scope of a potential successful attack
  • Enabling
    the Minimum Privilege Principle on all systems and services in use

Telerik deployment administrators are also
reminded that there are no workarounds for this flaw, so it is recommended to
install the official patches.

You Might Also Like