Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CISA Warns of Progress Telerik Vulnerability Exploitation

CISA urges federal agencies to apply mitigations for an exploited Progress Telerik vulnerability as soon as possible.

The US cybersecurity agency CISA on Thursday warned federal agencies of the ongoing exploitation of a recently patched authentication bypass vulnerability in Progress Software’s Telerik Report Server.

Disclosed in late May and tracked as CVE-2024-4358 (CVSS score of 9.8), the issue exists because, in version 2024 Q1 (10.0.24.305) and earlier iterations of the reporting tool, the current installation setup was not properly validated.

Successful exploitation of the bug allows an attacker to supply specific parameters and create a new administrator user, which they can then use to login to the server.

Essentially, the issue allows an attacker to manipulate authentication tokens and impersonate legitimate users without having to provide valid credentials, Vulcan Cyber notes.

This allows an unauthenticated attacker to connect to a vulnerable server even after the setup process has been completed and an administrator account has been created.

The vulnerability, security researchers warned, could be chained with other issues in the Report Server, such as CVE-2024-1800, an insecure deserialization, to achieve remote code execution.

“The Username datastore option can be used to authenticate with an existing account to prevent the creation of a new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an OS command as NT Authority\System,” a post on Packet Storm explains.

Progress Software patched the security defect in Telerik Report Server version 2024 Q2 (10.1.24.514), which was released on May 30.

Advertisement. Scroll to continue reading.

Proof-of-concept (PoC) exploits and technical details on CVE-2024-4358 emerged only days after the public disclosure, and the first exploitation attempts were seen less than a week later.

Data from the Shadowserver Foundation shows that, on June 13, there were roughly 40 vulnerable Progress Telerik Report Server instances exposed to the internet, less than half of the 89 observed a week ago.

On Thursday, CISA added CVE-2024-4358 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to identify any vulnerable instances in their environments and apply the recommended mitigations.

Per Binding Operational Directive (BOD) 22-01, federal agencies need to address the issue within three weeks. The same action is required for a Google Pixel flaw (CVE-2024-32896) and a Microsoft Windows bug (CVE-2024-26169), both added to CISA’s KEV list on Thursday.

While BOD 22-01 only applies to federal agencies, all organizations are advised to identify the flagged weaknesses in their networks and take the recommended remediation steps as soon as possible.

Related: CISA Warns of Attacks Exploiting Old Oracle WebLogic Vulnerability

Related: Exploited Building Access System Vulnerability Patched 5 Years After Disclosure

Related: CISA Rolls Out New Guidelines to Mitigate AI Risks to US Critical Infrastructure

Related: CISA Says SLP Vulnerability Allowing Amplified DoS Attacks Exploited in the Wild

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights