ALERT: Update Progress Telerik against active exploit

03/22/2023

This message was sent to U-M IT groups on Tuesday, 3/21/23. It is intended for U-M IT staff who are responsible for university web servers that use the Progress Telerik User Interface for the .NET framework that runs on Windows.

Summary

A vulnerability in Progress Telerik is being actively exploited in the wild and has been used to execute remote code on a federal agency’s web server. Update Progress Telerik to a version newer than 2019.3.1023.

Problem

Although the vulnerability is three-years-old, CISA analysts determined that multiple cyber threat actors exploited a .NET deserialization vulnerability in Progress Telerik user interface for ASP.NET AJAX. Exploitation of this vulnerability allowed malicious actors to successfully execute remote code.

Affected Versions

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023

Action Items

Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Threats

The vulnerability is being actively exploited in the wild.

Detection

The exploitable functions within the Telerik library are located within a single DLL file, Telerik.Web.UI.dll. Use software asset management or host-based inspection software to identify this file to determine Telerik usage and to identify the product version.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.