Blue Mockingbird Vulnerability Picks up Steam Telerik Guidance_1200x303

The Blue Mockingbird malware attack, which is compromising the security of many web applications, including Microsoft Information Services, SharePoint and Citrix, is also targeting old Telerik UI vulnerabilities that have already been fixed.

The attack often uses the known vulnerabilities CVE-2017-11317 and CVE-2019-18935 to upload and execute the malicious software to versions that have not been upgraded to the latest version of the Telerik UI for ASP.NET AJAX (also known as RadControls for ASP.NET AJAX).

Both of the vulnerabilities are already fixed, and, when they were found, Progress notified all of our active and inactive customers with instructions and mitigation steps so they could secure their apps. See the following blog posts:

Am I Vulnerable?

You can see whether your app is vulnerable by opening its web.config and looking for the type="Telerik.Web.UI.WebResource" handler.

If you have either of the handlers below registered (make sure to look for the type attribute), you are using the Telerik UI for ASP.NET AJAX (Telerik.Web.UI.dll) suite and your app might be vulnerable to CVE-2017-11317 and/or CVE-2019-18935, and you should keep reading.

  <system.web>
    <httpHandlers>
      <add path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="*" validate="false"/>
    </httpHandlers>
  </system.web>
  <system.webServer>
    <handlers>
      <add name="Telerik_Web_UI_WebResource_axd" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="*" preCondition="integratedMode"/>
    </handlers>
  </system.webServer>

How to Prevent the Vulnerability?

To make sure you are not vulnerable we recommend that you upgrade to R1 2020 or later, as shown in the diagram below:

Security diagram

You can find more information in the following dedicated articles:

Which Telerik Version am I Using?

There are three easy ways to check the version of the Telerik.Web.UI.dll assembly, which is the main file of the Telerik ASP.NET AJAX suite:

  • For ASP.NET WebApplication types of projects, open the csproj file and search for “Telerik.Web.UI” - the path in the HintPath will show you the location of the Telerik.Web.UI.dll file
    <Reference Include="Telerik.Web.UI">
              <HintPath>\bin\Telerik.Web.UI.dll</HintPath>
             …
           </Reference>

    Once you have the path from the HintPath, navigate to the Telerik.Web.UI.dll in Windows Explorer, right click, choose Properties -> Description tab and find out the version in the File Version row:

    Telerik.Web.UI.dll Properties 

  • For ASP.NET WebSite types of projects, go to the bin folder of the web project and right click on the Telerik.Web.UI.dll -> Properties -> Description -> see the version in the File version line.
  • Inspect the version in the GAC as explained in the Referencing Assemblies from the GAC article

Feedback and Questions

If you have any questions you can reach out the Telerik support via the public Telerik ASP.NET AJAX forum, by opening a General Feedback ticket or via the support ticketing system (for everyone with an active subscription).


Marin Bratanov
About the Author

Marin Bratanov

Marin Bratanov is a Principal Technical Support Engineer in the Blazor division, after starting out in WebForms and going through Kendo UI. Ever since he joined Telerik in early 2011 as a novice, his main focus has been improving the services and customer care the company offers. Apart from work, Marin is an avid reader and usually enjoys the worlds of fantasy and Sci-Fi literature. You can find him on Twitter, Goodreads, LinkedIn and Facebook.

Comments

Comments are disabled in preview mode.