June 4, 2024 at 08:39AM
A critical vulnerability (CVE-2024-4358, CVSS 9.8) in Progress Software’s Telerik Report Server allows remote attackers to bypass authentication, creating an admin user. An exploited deserialization flaw (CVE-2024-1800) enables remote code execution. Progress addressed both vulnerabilities in version 2024 Q1 (10.0.24.305). Users should update promptly to prevent exploitation.
Based on the meeting notes, the key takeaways are:
1. A critical-severity vulnerability (CVE-2024-4358) in Progress Software’s Telerik Report Server allowed remote attackers to bypass authentication and create an administrator user.
2. The vulnerability was due to a flaw in the implementation of the Register method, enabling unauthenticated access to set up the server even after the setup process had been completed. This allowed an attacker to create a user account with ‘System Administrator’ role and login remotely.
3. Once authentication was bypassed, an attacker could exploit an insecure deserialization issue (CVE-2024-1800) in the Telerik Report Server to achieve remote code execution (RCE).
4. Progress Software released updates in Telerik Report Server version 2024 Q1 (10.0.24.305) to address the authentication bypass vulnerability (CVE-2024-4358) and the deserialization flaw (CVE-2024-1800). The company stated that it has not received reports of the flaw being exploited in attacks.
5. Users are advised to update their instances at the earliest, as Sina Kheirkhah has published a technical writeup of the bug along with proof-of-concept (PoC) code targeting it.
Additionally, it is noted that the CVSS score for the deserialization flaw (CVE-2024-1800) was incorrectly assessed by Progress Software, and it was pointed out that successful exploitation required authentication, resulting in a different CVSS score as per an advisory from ZDI.