Progress patched a critical authentication bypass flaw impacting its Telerik Report Server. The vulnerability appeared after Progress tried to address another vulnerability but an authorization bypass became possible. Users must ensure updating to the latest release to receive the fix.
PoC Shared For Progress Telerik Report Server Flaw
According to a recent post from the security researcher Sina Kheirkhah, Kheirkhah, together with another researcher Soroush Dalili, developed an exploit for a patched vulnerability in Progress Telerik Report Server.
As explained, the vulnerability, now identified as CVE-2024-4358, is basically an authentication bypass in a previously reported flaw CVE-2024-1800.
Regarding CVE-2024-1800, this vulnerability made it to the news when Progress disclosed it as a remote code execution vulnerability. According to the ZDI’s advisory, the issue appeared because of insecure deserialization, and exploiting this vulnerability required authentication.
This flaw received initially received a CVSS score of 8.8, and it affected Telerik Report Server versions prior to 2024 Q1 (10.0.24.130). Progress deployed a patch for it with Report Server 2024 Q1 (10.0.24.305), asking users to upgrade to this or later versions.
However, the two researchers devised a way to bypass this authentication restriction, eventually raising its CVSS to 9.9, and receiving a new identification, CVE-2024-4358.
Specifically, they observed a flaw in the implementation of Register method. Because of a lack of validation for the current installation setup, an unauthenticated adversary could exploit the flaw, receiving “System Administrator” privileges.
Once an adversary gains admin privileges, exploiting the deserialization issue to achieve full RCE becomes trivial.
The researcher has explained the technical details about the vulnerabilities, alongside sharing the PoC exploit, in his post.
Progress Patched The Vulnerability
Following the responsible disclosure from the researchers, Progress patched the vulnerability and shared a detailed advisory to help the users patch their systems.
As elaborated, the vulnerability affected the Report Server version 2024 Q1 (10.0.24.305), which the vendors patch with the release of Report Server 2024 Q2 (10.1.24.514). To avoid potential exploits, users must ensure updating to this, or later Report Server versions.
Nonetheless, where applying an immediate update isn’t possible, Progress recommends implementing URL rewrite technique as temporary mitigation.
In addition, they also advised users to look for any new local accounts in the Report Server users’ list via {host}/Users/Index to ensure no malicious accounts exist.
Let us know your thoughts in the comments.
