RadAsyncUpload Attack

Hi Steven,

The received "RadAsyncUpload handler is registered successfully, however, it may not be accessed directly." message when accessing the handler directly from the browser address bar is expected and intentionally designed like this. To facilitate the developers the GET request to the handler returns a human-readable text to notify that the correct handler URL is used and to confirm that the handler is registered successfully.

As for the question "How can I tell if my system (Windows 2012) has been compromised?": The first thing is to make sure that your web application runs Telerik.Web.UI.dll version 2020.1.114 or later as explained in this article: Allows JavaScriptSerializer Deserialization. You can learn how to find out which is the version of Telerik UI for ASP.NET AJAX in this article: How to find out which is the used version of Telerik.Web.UI in the web application. If the version is 2020.1.114 or later your app is not vulnerable to the known vulnerabilities in the suite.

Regardless of the Telerik version, you can also perform a full system scan with a suitable security scanner and antivirus program which can identify CVE-2019-18935. You can find more information in the:

• Frequently Asked Questions section of RadAsyncUpload documentation
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18935 
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a -> Mitigations.
• https://www.cisa.gov/news-events/analysis-reports/ar23-074a -> Recommendations.

Thank you for all the information Rumen.  I'm on version 2017.3 but I've disabled the AsyncUpload control with a web config entry and now they are getting a 404 error instead of the success message so that's something.

Prior to that their attempts were throwing this error:

Error occurred during a cryptographic operation.   
at System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors(Func`2 func, Byte[] input)     
at Telerik.Web.UI.CryptoService.DecryptWithMachineKey(String encryptedText)     
at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)   

Hopefully that means they didn't get through.  Upgrading is always a challenge as it tends to break existing code.

You are welcome, Steven!

While the error message might look promising that the server is untouched, your server still runs a not so secure version of Telerik.Web.UI.dll and you still need to scan your system to find out whether there is a virus or any malicious code and files on it.

Also, the difference between R3 2017 and R1 2020 (2020.1.114 or even the latest one) is not big in terms of breaking changes and my advice is to perform an upgrade as early as possible.

Just before upgrading your project, review the following resources:

• The Known Issues and Important Changes thread lists changes and known regression issues that may affect your code.
• The Telerik Upgrade API Analyzer analyzes your C# code and notifies you of changes between your version and the new version.
• The UI for ASP.NET AJAX Release Notes list all changes, fixes, new features and controls.