Local Code Execution Vulnerability
Description
Product Alert – May 2024 - CVE-2024-3892
- Telerik UI for WinForms v2021.1.122 to v2024.1.312
Issue
CWE-94: Improper Control of Generation of Code ('Code Injection')
In Telerik UI for WinForms versions v2021.1.122 to v2024.1.312, it is possible to manipulate the application configuration to register a specially crafted external assembly as a theme.
What are the Impacts
This can allow a preexisting local threat actor to execute local code at the same permission level as the application the next time the application is launched.
Solution
We have addressed the vulnerability and the Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.
| Version | Guidance |
|---|---|
| Earlier than 2021.1.122 | Not Affected |
| 2021.1.122 to 2024.1.312 | Update to v2024.2.514 Update Instructions |
| 2024.2.514 or later | Not Affected |
To confirm your current version of UI for WinForms, check the version of Telerik.WinControls.dll the project is referencing. All customers who have a UI for WinForms license can access the downloads here Product Download | Your Account.
Notes
- The threat actor must already have access to the local system, this is not a remote code execution vulnerability.
- The arbitrary code in the custom precompiled assembly can only be executed at the same privilege as the application.
- Modification of a running application’s configuration is not successful; this attack must be implemented pre-launch.
If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.
External References
CVE-2024-3892 (HIGH)
CVSS: 7.2
A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system.