Blue Mockingbird Vulnerability Picks up Steam—Telerik Guidance

The Blue Mockingbird malware attack, which is compromising the security of many web applications, including Microsoft Information Services, SharePoint and Citrix, is also targeting old Telerik UI vulnerabilities that have already been fixed.

The attack often uses the known vulnerabilities CVE-2017-11317 and CVE-2019-18935 to upload and execute the malicious software to versions that have not been upgraded to the latest version of the Telerik UI for ASP.NET AJAX (also known as RadControls for ASP.NET AJAX).

Both of the vulnerabilities are already fixed, and, when they were found, Progress notified all of our active and inactive customers with instructions and mitigation steps so they could secure their apps. See the following blog posts:

• First 5 Tips for Building Secure (Web) Apps
• Security Alert for Telerik UI for ASP.NET AJAX and Progress Sitefinity

Am I Vulnerable?

You can see whether your app is vulnerable by opening its web.config and looking for the type="Telerik.Web.UI.WebResource" handler.

If you have either of the handlers below registered (make sure to look for the type attribute), you are using the Telerik UI for ASP.NET AJAX (Telerik.Web.UI.dll) suite and your app might be vulnerable to CVE-2017-11317 and/or CVE-2019-18935, and you should keep reading.

  <system.web>
    <httpHandlers>
      <add path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="*" validate="false"/>
    </httpHandlers>
  </system.web>

  <system.webServer>
    <handlers>
      <add name="Telerik_Web_UI_WebResource_axd" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="*" preCondition="integratedMode"/>
    </handlers>
  </system.webServer>

How to Prevent the Vulnerability?

To make sure you are not vulnerable we recommend that you upgrade to R1 2020 or later, as shown in the diagram below:

You can find more information in the following dedicated articles:

• CVE-2019-18935 - Allows JavaScriptSerializer Deserialization
• CVE-2017-11317 - Unrestricted File Upload

Which Telerik Version am I Using?

There are three easy ways to check the version of the Telerik.Web.UI.dll assembly, which is the main file of the Telerik ASP.NET AJAX suite:

• For ASP.NET WebApplication types of projects, open the csproj file and search for “Telerik.Web.UI” - the path in the HintPath will show you the location of the Telerik.Web.UI.dll file
  

  <Reference Include="Telerik.Web.UI">
            <HintPath>\bin\Telerik.Web.UI.dll</HintPath>
           …
         </Reference>

  Once you have the path from the HintPath, navigate to the Telerik.Web.UI.dll in Windows Explorer, right click, choose Properties -> Description tab and find out the version in the File Version row:

   
  
  

• For ASP.NET WebSite types of projects, go to the bin folder of the web project and right click on the Telerik.Web.UI.dll -> Properties -> Description -> see the version in the File version line.
• Inspect the version in the GAC as explained in the Referencing Assemblies from the GAC article

Feedback and Questions

If you have any questions you can reach out the Telerik support via the public Telerik ASP.NET AJAX forum, by opening a General Feedback ticket or via the support ticketing system (for everyone with an active subscription).