CVE-2017-11357
published 2017-08-23CVE-2017-11357: Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-02-16
Exploited in the wild
EPSS
75.71%
99.5th percentile
Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | telerik_ui_for_asp.net_ajax | < 2020.1.114 | 2020.1.114 |
| quest | kace_desktop_authority | >= 10.0 < 11.2 | 11.2 |
| telerik | ui_for_asp.net_ajax | 2011.1.315 – 2020.1.114 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for multipart POST requests to Telerik.Web.UI.WebResource.axd with query parameter type=rau, containing a form field named 'rauPostData' — this is the encrypted payload carrier used in exploitation. ↗
- →Flag multipart POST requests to RadAsyncUpload endpoint where the 'fileName' field value is 'RAU_crypto.bypass' — this is a specific bypass indicator used by the exploit. ↗
- →Detect multipart POST requests to Telerik.Web.UI.WebResource.axd?type=rau where 'contentType' is set to 'text/html' for an uploaded file — legitimate file uploads should not use text/html as the content type for binary uploads. ↗
- →Monitor for HTTP responses from Telerik.Web.UI.WebResource.axd that leak version strings matching the pattern '20\d{2}(.\d+)+' — version disclosure enables targeted exploitation. ↗
- →Alert on multipart POST bodies using the boundary value '68821516528156' — this hardcoded boundary string is present in the public exploit's payload construction. ↗
- ·The vulnerability allows file uploads to a limited/attacker-influenced TempTargetFolder path as well as potential RCE; the upload destination is controlled via the encrypted 'TempTargetFolder' field inside rauPostData. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c655-3j45-33xw: Progress Telerik UI for ASP
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2019-18935 [CRITICAL] CWE-502 GHSA-c655-3j45-33xw: Progress Telerik UI for ASP
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (In 2019.3.1023 but not earlier versions, a non-default setting can prevent exploitation.)
GHSA
GHSA-52hx-8455-4qwv: Progress Telerik UI for ASP
ghsa_unreviewed·2022-05-14
CVE-2017-11357 [CRITICAL] CWE-20 GHSA-52hx-8455-4qwv: Progress Telerik UI for ASP
Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
GHSA
GHSA-c7j6-8r6v-p532: An issue was discovered in Quest KACE Desktop Authority before 11
ghsa_unreviewed·2021-12-23·CVSS 9.8
CVE-2021-44029 [CRITICAL] CWE-502 GHSA-c7j6-8r6v-p532: An issue was discovered in Quest KACE Desktop Authority before 11
An issue was discovered in Quest KACE Desktop Authority before 11.2. This vulnerability allows attackers to execute remote code through a deserialization exploitation in the RadAsyncUpload function of ASP.NET AJAX. An attacker can leverage this vulnerability when the encryption keys are known (due to the presence of CVE-2017-11317, CVE-2017-11357, or other means). A default setting for the type whitelisting feature in more current versions of ASP.NET AJAX prevents exploitation.
VulnCheck
Telerik UI for ASP.NET AJAX Insecure Direct Object Reference Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-11357 [CRITICAL] CWE-20 Telerik UI for ASP.NET AJAX Insecure Direct Object Reference Vulnerability
Telerik UI for ASP.NET AJAX Insecure Direct Object Reference Vulnerability
Telerik UI for ASP.NET AJAX contains an insecure direct object reference vulnerability in RadAsyncUpload that can result in file uploads in a limited location and/or remote code execution.
Affected: Progress User Interface (UI) for ASP.NET AJAX
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cisa.gov/news-events/cybersecurity-advisories/aa23-074a; https://www.cisa.gov/sites/default/files/2023-06/aa23-074a-Threat%20Actors%20Exploit%20Progress%20T
CISA
Telerik UI for ASP.NET AJAX Insecure Direct Object Reference Vulnerability
cisa·2023-01-26·CVSS 9.8
CVE-2017-11357 [CRITICAL] CWE-20 Telerik UI for ASP.NET AJAX Insecure Direct Object Reference Vulnerability
Vulnerability: Telerik UI for ASP.NET AJAX Insecure Direct Object Reference Vulnerability
Affected: Telerik User Interface (UI) for ASP.NET AJAX
Telerik UI for ASP.NET AJAX contains an insecure direct object reference vulnerability in RadAsyncUpload that can result in file uploads in a limited location and/or remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://docs.telerik.com/devtools/aspnet-ajax/knowledge-base/asyncupload-insecure-direct-object-reference; https://nvd.nist.gov/vuln/detail/CVE-2017-11357
Remediation Due Date: 2023-02-16
CISA ICS
Hitachi ABB Power Grids eSOMS Telerik
cisa_ics·2021-03-18·CVSS 9.8
[CRITICAL] Hitachi ABB Power Grids eSOMS Telerik
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Hitachi ABB Power Grids eSOMS Telerik
Last RevisedMarch 18, 2021
Alert CodeICSA-21-077-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Hitachi ABB Power Grids
- Equipment: eSOMS Telerik
- Vulnerabilities: Path Traversal, Deserialization of Untrusted Data, Improper Input Validation, Inadequate Encryption Strength, Insufficiently Protected Credentials, Path Traversal
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to upload malicious files to the server, discover se
No detection rules found.
http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/insecure-direct-object-referencehttps://www.exploit-db.com/exploits/43874/http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/insecure-direct-object-referencehttps://www.exploit-db.com/exploits/43874/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11357
2017-08-23
Published
2023-01-26
Added to CISA KEV
Exploited in the wild