Carbon Black Cloud: Detection and Protection against Telerik UI Remote Code Execution Vulnerabilities
search cancel

Carbon Black Cloud: Detection and Protection against Telerik UI Remote Code Execution Vulnerabilities

book

Article ID: 292616

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Detection and Protection against Telerik UI Remote Code Execution Vulnerability

Environment

  • Carbon Black Cloud: All Supported Versions

Cause

Common vulnerabilities and exposures (CVEs): CVE-2019-18935, CVE-2014-2217, CVE-2017-11317.

Resolution

  • The best detection here would come from payload behavior.
  • Webshell watchlists are focused on MS Exchange,  it is difficult to generalize these to all potential web-apps that may be custom built.
  • In Telerik’s case specifically, since it’s a UI development library, it will be difficult to write detections against a CVE that considers all potential ways in which it could be used, using EDR behavioral data.
  • The Exchange webshells queries writing and tuning local site-specific rules would be required:
Example: An asp processes [1] writing files or executing new processes or interpreters that are abnormal for that environment.

Additional Information

How to find running ASP.net Processes
Powered by Wolken Software