Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Detection and Protection against Telerik UI Remote Code Execution Vulnerabilities

Carbon Black Cloud: Detection and Protection against Telerik UI Remote Code Execution Vulnerabilities

Environment

  • Carbon Black Cloud: All Supported Versions

Symptoms

Detection and Protection against Telerik UI Remote Code Execution Vulnerability

Cause

Common vulnerabilities and exposures (CVEs): CVE-2019-18935, CVE-2014-2217, CVE-2017-11317.

Resolution

  • The best detection here would come from payload behavior.
  • Webshell watchlists are focused on MS Exchange,  it is difficult to generalize these to all potential web-apps that may be custom built.
  • In Telerik’s case specifically, since it’s a UI development library, it will be difficult to write detections against a CVE that considers all potential ways in which it could be used, using EDR behavioral data.
  • The Exchange webshells queries writing and tuning local site-specific rules would be required:
Example: An asp processes [1] writing files or executing new processes or interpreters that are abnormal for that environment.

Additional Notes


Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎06-19-2021
Views:
394
Contributors