This message was sent to U-M IT groups on Tuesday, 3/21/23. It is intended for U-M IT staff who are responsible for university web servers that use the Progress Telerik User Interface for the .NET framework that runs on Windows.
Summary
A vulnerability in Progress Telerik is being actively exploited in the wild and has been used to execute remote code on a federal agency’s web server. Update Progress Telerik to a version newer than 2019.3.1023.
Problem
Although the vulnerability is three-years-old, CISA analysts determined that multiple cyber threat actors exploited a .NET deserialization vulnerability in Progress Telerik user interface for ASP.NET AJAX. Exploitation of this vulnerability allowed malicious actors to successfully execute remote code.
Affected Versions
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023
Action Items
Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
- Upgrade to R1 2020 or later as shown in the diagram in the Solution section of these instructions from Telerik.
- IA recommends prioritizing immediate mitigation for systems running Windows Server versions.
Threats
The vulnerability is being actively exploited in the wild.
Detection
The exploitable functions within the Telerik library are located within a single DLL file, Telerik.Web.UI.dll. Use software asset management or host-based inspection software to identify this file to determine Telerik usage and to identify the product version.
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency (The Hacker News, 3/16/23)
- Threat Actors Exploited Progress Telerik Vulnerability in U.S. Government IIS Server (CISA, 3/15/23)
- MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server (CISA 3/15/23)
- Allows JavaScriptSerializer Deserialization (Telerik UI for ASP.NET AJAX)
- Advisory 2020-004: Remote code execution vulnerability being actively exploited in vulnerable versions of Telerik UI by sophisticated actors (Australian Cyber Security Centre, 5/22/20)
- CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI (Bishop Fox, 12/12/2019)
- CVE-2019-18935 Detail