Telerik Report Server Flaw Could Let Attackers Create Rogue Admin Accounts

Telerik Report Server Flaw Could Let Attackers Create Rogue Admin Accounts

June 4, 2024 at 11:07AM

Progress Software has released updates to address a critical security flaw in Telerik Report Server, allowing potential bypass of authentication and creation of rogue administrator users. Tracked as CVE-2024-4358, the flaw carries a high CVSS score of 9.8. Users are urged to update to version 2024 Q2 and review user lists for unauthorized additions. Temporary workarounds are also suggested.

Based on the meeting notes, the following key takeaways can be generated:

1. Progress Software has released updates to address a critical security flaw (CVE-2024-4358) in Telerik Report Server, which could be exploited by remote attackers to bypass authentication and create rogue administrator users. This vulnerability has a CVSS score of 9.8 out of 10.

2. The security flaw present in versions earlier than Report Server 2024 Q1 (10.0.24.305) on IIS allows unauthenticated attackers to access restricted functionalities. The issue has been addressed in Report Server 2024 Q2 (10.1.24.514), and customers are urged to update to the latest version.

3. Sina Kheirkhah of Summoning Team is credited with discovering and reporting the vulnerability, which is described as a “very simple” bug exploitable by remote unauthenticated attackers to create an administrator user and login.

4. Progress Software recommends that customers review their Report Server’s users list for any new Local users that may have been added without their knowledge.

5. Until the patches can be applied, users are advised to implement a URL Rewrite mitigation technique to remove the attack surface in the Internet Information Services (IIS) server as a temporary workaround.

6. A previous high-severity vulnerability (CVE-2024-1800, CVSS score: 8.8) impacting the Telerik Report Server required an authenticated remote attacker to execute arbitrary code on affected installations. Combining CVE-2024-4358 and CVE-2024-1800 into an exploit chain could allow attackers to sidestep authentication and execute arbitrary code with elevated privileges.

7. It is critical for users to update to the latest version of Telerik Report Server to mitigate potential threats, especially considering past instances of threat actors exploiting vulnerabilities in Telerik servers.

Please let me know if there’s anything else you need assistance with.

Full Article