CISA Alert AA23-074A: Telerik UI CVE-2019-18935 Vulnerability Exploitation

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

AA23-074A is a joint advisory released by CISA, FBI, and MS-ISAC on the exploitation of the Progress Telerik vulnerability by cyber threat actors, including an APT actor, against a federal civilian executive branch agency [1]. These actors exploited the CVE-2019-18935 .NET deserialization vulnerability found in Progress Telerik's user interface (UI) for ASP.NET AJAX on a US FCEB agency's Microsoft Internet Information Services (IIS) web server.

In this blog, we will discuss the methods used by these threat groups to exploit the vulnerability and compromise vulnerable Microsoft IIS servers belonging to the US government.

For organizations seeking to assess their cybersecurity infrastructure against such attacks, Picus’ The Complete Security Validation Platform offers vulnerability exploitation attack simulations for Progress Telerik vulnerabilities.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

What Is the CVE-2019-18935 Vulnerability?

CVE-2019-18935 is a critical vulnerability with a CVSS score of 9.8, caused by a .NET deserialization flaw in the RadAsyncUpload function of Progress Telerik UI for ASP.NET AJAX versions prior to 2019.3.1023 [2]. The Telerik UI is a collection of user interface (UI) components that insecurely deserializes JSON objects in this vulnerability [3].

If an attacker gains access to the encryption keys via other vulnerabilities such as CVE-2017-11317 or CVE-2017-11357, they can exploit CVE-2019-18935. However, there is no forensic evidence confirming exploitation of either CVE-2017-11357 or CVE-2017-11317.

Which Threat Actors Exploit the CVE-2019-18935 Vulnerability?

In November 2022, cyber threat actors successfully exploited the CVE-2019-18935 vulnerability in Telerik UI, which was running on a Microsoft IIS server at a federal civilian executive branch (FCEB) agency, according to CISA alert AA23-074A [1]. The attackers were able to gain interactive access to the web server and execute remote code. Furthermore, the version of Telerik UI for ASP.NET AJAX (2013.2.717) also contained known vulnerabilities, including CVE-2017-11357 and CVE-2017-11317, which the threat actors may have exploited in conjunction with CVE-2019-18935 to obtain the Telerik RadAsyncUpload encryption keys.

CISA reported that multiple cyber threat actors, including an APT actor and the known cybercriminal group XE Group, were conducting reconnaissance and scanning activities that correlate with the successful exploitation of CVE-2019-18935.

How Threat Actors Compromised the IIS Server by Leveraging CVE-2019-18935?

Following the successful exploitation of CVE-2019-18935, the threat actors uploaded malicious DLL files, which were disguised as PNG files [MITRE ATT&CK T1036], to the C:\Windows\Temp directory. These DLL files contained a base64 encoded file [MITRE ATT&CK 1027] with the internal name XEReverseShell.exe that was dropped in the same directory as sortcombat.exe. The DLL files were executed via the legitimate w3wp.exe process on the IIS server using the DLL injection technique [MITRE ATT&CK T1055.001]. Once executed, the DLL files dropped and executed reverse shell (remote) utilities for unencrypted communication with C2 IP addresses.

CISA has confirmed that some of the malicious files dropped on the IIS server follow the threat actors' commonly used file naming convention, which is a primary indicator of compromise. Known file names indicating the compromise are XEReverseShell, Sortcombat, xesmartshell, SortVistaCompat, and Multi-OS_ReverseShell. Although the threat actors removed malicious artifacts that could be analyzed [MITRE ATT&CK T1070.004], there was no evidence of privilege escalation or lateral movement.

PoC Exploit for Telerik CVE-2019-18935 Vulnerability

CVE-2019-18935 is a critical vulnerability that enables remote code execution through a JSON deserialization flaw. There is a CVE-2019-18935 proof-of-concept (PoC) exploit available on GitHub [4]. This exploit allows an attacker to upload a DLL to a directory on the target server, provided the web server has write permissions in that directory. Then, using the insecure deserialization exploit, the attacker can load the DLL into the application to execute arbitrary code.

How Does Picus Help Simulate Telerik CVE-2019-18935 RCE Vulnerability Exploitation Attacks?

To thoroughly test the effectiveness of your security controls against CVE-2019-18935 RCE attacks on Telerik UI, we strongly recommend using Picus The Complete Security Validation Platform. You can simulate vulnerability exploitation attacks and evaluate your defenses with a 14-day free trial of the Picus Platform. In addition to CVE-2019-18935, the platform can also test your defenses against hundreds of other vulnerabilities, including Log4Shell, Follina, and ProxyShell, in just a few minutes. 

The Picus Threat Library includes the following threat for exploiting CVE-2019-18935:

Campaign  ID

Threat Name

Attack Module

86810

Telerik Web Attack Campaign

Web Application Module

This attack campaign includes the following action:

Action  ID

Action Name

433480

Telerik UI for ASP.NET AJAX (RadAsyncUpload Handler) .NET JSON Deserialization Vulnerability Variant-1

What are the Actions You Take Today to Mitigate this Vulnerability?

  • Validate your defenses against CVE-2019-18935 attacks as suggested by CISA [1]
  • Limit the privileges of service accounts to the minimum required permissions for running services
  • Install a patch management system, and verify patch management and vulnerability scanning results against active services. Note that, the compromised FCEB agency's vulnerability scanner was unable to detect the vulnerability due to the Telerik UI software's file path, which was not typically scanned.

Moreover, Picus Threat Library contains 300+ threats containing 3000+ web application and vulnerability exploitation attacks in addition to 1500+ endpoint, 8000+ malware, email and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Telerik CVE-2019-18935 remote code execution vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Telerik CVE-2019-18935 RCE vulnerability:

Security Control

Signature ID

Signature Name

FortiGate NGFW

48789

applications3:  Telerik.Web.UI.RadAsyncUpload.Handling.Arbitrary.File.Upload

ModSecurity

920440

URL file extension is restricted by policy

Palo Alto NGFW

59014

Suspicious Telerik Web UI Request

Snort IPS

51377

POLICY-OTHER Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt

Snort IPS

2029761

ET EXPLOIT Possible Telerik UI CVE-2019-18935 File Upload Attempt M1

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.

References

[1] “CISA Alert AA23-074A.” [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a. [Accessed: Mar. 17, 2023]

[2] “NVD - CVE-2019-18935.” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2019-18935. [Accessed: Mar. 17, 2023]

[3] “Telerik & Kendo UI - .NET Components Suites & JavaScript UI Libraries,” [Online]. Available: https://www.telerik.com/. [Accessed: Mar. 17, 2023]

[4] “GitHub - noperator/CVE-2019-18935: RCE exploit for a .NET JSON deserialization vulnerability in Telerik UI for ASP.NET AJAX,” GitHub. [Online]. Available: https://github.com/noperator/CVE-2019-18935. [Accessed: Mar. 17, 2023]