Telerik UI Breach Warning, Are Your Websites Vulnerable?

Telerik UI breach warning, are your websites vulnerable?

Incident Summary: Attackers are leveraging Telerik UI vulnerabilities to attack websites that have not been adequately secured and protected resulting in system breaches with various objectives. The incidents HALOCK have been involved in has resulted in malware/ransomware, website defacement, credit card scraping, crypto mining, and data exfiltration.

DESCRIPTION

VULNERABILITY

Telerik UI for ASP.NET AJAX is a widely used suite of UI components for web applications. It insecurely deserializes JSON objects in a manner that results in arbitrary remote code execution on the software’s underlying host.

HALOCK has worked numerous incidents in 2020 related to this vulnerability that has resulted with the breach of web applications and have led to multiple different impacts to the organizations affected. In some of the incidents, the vulnerability was present in third party applications that were utilized within the companies’ web sites.

Progress Telerik UI for ASP.NET AJAX through version 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution.

https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui

TESTING FOR THE VULNERABILITY

MITIGATING THE VULNERABILITY

The vulnerability presence is detectable by the version of Telerik that is in place. Use the instructions located here to check and see if your version is vulnerable.

HALOCK also recommends annual web application penetration tests on your web application to identify vulnerabilities and attack techniques that could successfully breach web applications.

The remediation for this vulnerability has been available since December of 2019. To mitigate this vulnerability:

Upgrade Telerik for ASP.NET AJAX to R3 2019 SP1 (v2019.3.1023) or later.
Read Telerik’s RadAsyncUpload security guide in its entirety and configure the control according to the recommended security settings.

Additional Controls that should be Implemented:

Web Application Firewalls (WAF) protect websites from attacks like these as well as other OWASP top 10 attacks and distributed denial of server (DDOS) attacks.
Vulnerability management will actively identify vulnerabilities via scanning and timely patching will reduce the attack window for vulnerabilities to be discovered and breached on web applications.
Periodic code reviews will identify changes to source code and the presence of unknown files on the web server that may indicate attacker activity.

WHAT YOU SHOULD DO TO MITIGATE RISKS IN THESE TYPES OF ATTACKS

Enhance your Incident Response Plan (IRP), Readiness, and Training to address Telerik UI vulnerabilities.
Schedule an application penetration test on external web applications.
Implement technology solutions such as web application firewall (WAF), file integrity monitoring, Security Event and Information Management (SEIM), and vulnerability scanning.

If you are not able to implement these controls, or need help understanding if you are susceptible to this attack, call HALOCK.

Review your security profile to mitigate your risks and minimize impact of a breach.

HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.

References