Arbitrary code execution vulnerability in Telerik UI for ASP.NET

The developers of Telerik UI for ASP.NET, the open source application framework for dynamic sites web development, received the report of a vulnerability that, if exploited, would allow an attacker to execute arbitrary code. The flaw was reported by an information security firm whose name was not disclosed.

As mentioned in the previous paragraph, the flaw allows arbitrary code to run in the context of a high-privileged process. Depending on the privileges associated with the application, a threat actor might deploy malicious activities such as installing programs, accessing and modifying data, and even creating full-privileged user accounts. It should be noted that if applications are configured with reduced privileges, the actual impact of this vulnerability could decrease significantly.

In the report, the anonymous information security firm mentions that the vulnerability exists due to a deserialization issue with the .NET JavaScriptSerializer using RadAsyncUpload, an issue that can be exploited to lead to arbitrary code execution on the server, all in the context of a w3wp.exe process.

All Progress Telerik UI systems for ASP.NET AJAX versions prior to v2020.1.114 are affected by the vulnerability. The risk lies primarily in environments of large companies and government organizations. The probabilities of exploitation are reduced in small and medium-sized companies, as well as in domestic environments.

The vulnerability was acknowledged and addressed by developers as soon as they received the report from the information security firm. According to the International Institute of Cyber Security (IICS), the main recommendations to prevent exploitation risks include:

  • Analysis of vulnerable systems and immediate installation of security patches released by Telerik
  • Verify that other web applications that use Telerik user interface are also updated to their latest versions
  • Running all software as an unprivileged user (without administrative rights) to decrease the scope of a potential successful attack
  • Enabling the Minimum Privilege Principle on all systems and services in use

Telerik deployment administrators are also reminded that there are no workarounds for this flaw, so it is recommended to install the official patches.