AUTHOR: Rumen Zhekov
DATE POSTED: December 09, 2019
Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935) issue through RadAsyncUpload can lead to executing malicious code on the server in the context of the w3wp.exe process.
To make sure you are not vulnerable we recommend that you upgrade to R1 2020 or later as shown in the diagram below: For more information, please check the table below and apply the recommendations to fully secure the version of Telerik.Web.UI.dll used in your projects:
An attacker is able to break the RadAsyncUpload encryption and stage a malicious request
The type whitelisting feature of RadAsyncUpload is not enabled
Recommendation
Q1 2011 (2011.1.315) to R2 2017 SP1 (2017.2.621)
Possible
This feature is not available
Upgrade to R3 2019 SP1 or later and apply the recommended security settings.
Not possible through RadAsyncUpload, unless the attacker has access to your encryption keys
R3 2019 SP1 (2019.3.1023)
The feature is opt-in
Apply the recommended security settings.
R1 2020 (2020.1.114) and later
The feature is enabled by default
If you have an active license go the the Downloads section, look for version 2020.1.114 or later in the Version dropdown and download the Telerik_UI_for_ASP.NET_AJAX_2020_1_114_Dev_hotfix.zip archive. You can see how to update your project here. For any questions, you can contact us via the support ticketing system. If you don't have an active license, you can reach out the Telerik support by opening a General Feedback ticket.
We would like to thank Markus Wulftange of Code White GmbH and Paul Taylor (@bao7uo) for assisting with making the information public.
CVE-2019-18935
Resources Buy Try