Environment
- Carbon Black Cloud: All Supported Versions
Symptoms
Detection and Protection against Telerik UI Remote Code Execution Vulnerability
Cause
Common vulnerabilities and exposures (CVEs): CVE-2019-18935, CVE-2014-2217, CVE-2017-11317.
Resolution
- The best detection here would come from payload behavior.
- Webshell watchlists are focused on MS Exchange, it is difficult to generalize these to all potential web-apps that may be custom built.
- In Telerik’s case specifically, since it’s a UI development library, it will be difficult to write detections against a CVE that considers all potential ways in which it could be used, using EDR behavioral data.
- The Exchange webshells queries writing and tuning local site-specific rules would be required:
Example: An asp processes [1] writing files or executing new processes or interpreters that are abnormal for that environment.
Additional Notes
Related Content