US Government IIS Server Breached via Telerik Software Flaw

Written by

The US Cybersecurity and Infrastructure Security Agency (CISA) has disclosed information regarding a .NET deserialization vulnerability (CVE-2019-18935) in the Progress Telerik user interface (UI) for ASP.NET AJAX.

CISA described the findings in an advisory on Wednesday, saying multiple cyber-threat actors were able to exploit the flaw, which also affected the Microsoft Internet Information Services (IIS) web server of a federal civilian executive branch (FCEB) agency between November 2022 and January 2023.

If exploited successfully, the vulnerability allows remote code execution (RCE). Because of this, the flaw has been rated as critical and assigned a CVSS v3.1 score of 9.8.

Read more on the CVSS system here: A Case Against CVSS

“Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan,” reads the CISA advisory. “This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.”

Commenting on the news, Dror Liwer, co-founder of cybersecurity company Coro, said vulnerabilities like this are a “low-hanging fruit” for attackers.

“They represent an easy, well-documented entry point that does not require social engineering, strong technical skills or active monitoring,” Liwer explained.

According to the executive, keeping up with known vulnerabilities across all assets can be daunting, but organizations must pay more attention to updates.

“There is no easy fix. Vulnerability management must be an integral part of any cybersecurity program, as tedious and laborious as it may be,” Liwer added.

As far as CVE-2019-18935 is concerned, CISA said entities using Progress Telerik software should implement a patch management solution to ensure compliance with the latest security patches. 

They should also validate the output from patch management and vulnerability scanning against running services to check for any discrepancies, and limit service accounts to the minimum permissions necessary.

The CISA advisory comes weeks after SentinelOne disclosed information related to new malware loaders based on the .NET development platform.

What’s hot on Infosecurity Magazine?