The US Cybersecurity and Infrastructure Security Agency (CISA) has released information about a .NET deserialization vulnerability (CVE-2019-18935) in the ASP.NET AJAX Progress Telerik user interface (UI).
CISA explained its findings in Wednesday’s advisory, which said multiple cyber threat actors could exploit the flaw, and that between November 2022 and November 2022, the Federal Civilian Administration (FCEB) agency’s You mentioned that Microsoft Internet Information Services (IIS) web servers were also affected. January 2023.
If successfully exploited, this vulnerability allows remote code execution (RCE). Therefore, the flaw was rated as Critical and assigned a CVSS v3.1 score of 9.8.
For more information on the CVSS system, please see: Case Study for CVSS
“The agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, but it was unable to detect the vulnerability because the Telerik UI software was installed in a file path it would not normally scan.” and read the CISA advisory. “This can be true for many software installations, as file paths vary greatly between organizations and installation methods.”
Commenting on the news, Dror Liwer, co-founder of cybersecurity firm Coro, said such vulnerabilities are “an easy win” for attackers.
“These are easy, well-documented entry points that don’t require social engineering, strong technical skills, or active oversight,” explains Liwer.
Keeping up with known vulnerabilities across all assets can be difficult, executives say, but organizations need to pay more attention to updates.
“There are no easy fixes. Vulnerability management, no matter how tedious and arduous, should be an integral part of your cybersecurity program,” added Liwer.
As far as CVE-2019-18935 is concerned, CISA states that entities using Progress Telerik software should implement a patch management solution to ensure compliance with the latest security patches.
You should also review the output of patch management and vulnerability scans against running services for discrepancies, and restrict service accounts to the minimum required permissions.
The CISA advisory comes several weeks after SentinelOne disclosed information related to a new malware loader based on its .NET development platform.
