New to Telerik UI for ASP.NET AJAXStart a free 30-day trial

Allows JavaScriptSerializer Deserialization

Problem

Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935) issue through RadAsyncUpload can lead to executing malicious code on the server in the context of the w3wp.exe process.

Prerequisites for an Attack

  • An attacker can break the RadAsyncUpload encryption (or have prior knowledge of your custom encryption keys) and stage a malicious request.

  • The type whitelisting feature of RadAsyncUpload is not enabled (see AllowedCustomMetaDataTypes appSettings key).

Solution

To make sure you are not vulnerable we recommend that you upgrade to R1 2020 or later as shown in the diagram below:

Security diagram

For more information, please check the table below and apply the recommendations to fully secure the version of Telerik.Web.UI.dll used in your projects:

Telerik.Web.UI.dll versionsAn attacker is able to break the RadAsyncUpload encryption and stage a malicious requestThe type whitelisting feature of RadAsyncUpload is not enabledRecommendation
Q1 2011 (2011.1.315) to R2 2017 SP1 (2017.2.621)PossibleThis feature is not availableUpgrade to R3 2019 SP1 or later and apply the recommended security settings.
R2 2017 SP2 (2017.2.711) to R3 2019 (2019.3.917)Not possible through RadAsyncUpload, unless the attacker has access to your encryption keysThis feature is not availableUpgrade to R3 2019 SP1 or later and apply the recommended security settings.
R3 2019 SP1 (2019.3.1023)Not possible through RadAsyncUpload, unless the attacker has access to your encryption keysThe feature is opt-inApply the recommended security settings.
R1 2020 (2020.1.114) and laterNot possible through RadAsyncUpload, unless the attacker has access to your encryption keysThe feature is enabled by defaultApply the recommended security settings.

How to Obtain R1 2020 or Later?

If you have an active license go the the Downloads section, look for version 2020.1.114 or later in the Version dropdown and download the Telerik_UI_for_ASP.NET_AJAX_2020_1_114_Dev_hotfix.zip archive. You can see how to update your project here. For any questions, you can contact us via the support ticketing system.

If you don't have an active license, you can reach out the Telerik support by opening a General Feedback ticket.

Notes

We would like to thank Markus Wulftange of Code White GmbH and Paul Taylor (@bao7uo) for assisting with making the information public.

External References

CVE-2019-18935

See Also