Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Progress Patches Critical Vulnerability in Telerik Report Server

A critical vulnerability in the Progress Telerik Report Server could allow unauthenticated attackers to access restricted functionality.

A critical-severity vulnerability in Progress Software’s Telerik Report Server could allow remote attackers to bypass authentication and create an administrator user, vulnerability researcher Sina Kheirkhah explains.

Tracked as CVE-2024-4358 (CVSS score of 9.8), the bug exists because the endpoint responsible for setting up the server allows unauthenticated connections even after the setup process has been completed.

“The specific flaw exists within the implementation of the Register method. The issue results from the lack of validating the current installation step. An attacker can leverage this vulnerability to bypass authentication on the system,” a Zero Day Initiative (ZDI) advisory reads.

According to Kheirkhah, because the method is accessible without authentication, an attacker can supply specific parameters to create a user account that is assigned the ‘System Administrator’ role.

“This allows a remote unauthenticated attacker to create an administrator user and login,” Kheirkhah underlines.

Once the authentication has been bypassed, the attacker can exploit a recently addressed insecure deserialization issue in the Telerik Report Server to achieve remote code execution (RCE), the researcher explains.

Remotely exploitable, the deserialization flaw, tracked as CVE-2024-1800, was addressed in Report Server version 2024 Q1 (10.0.24.130).

“The specific flaw exists within the ObjectReader class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of System,” a ZDI advisory reads.

Advertisement. Scroll to continue reading.

As Kheirkhah points out, Progress Software incorrectly assessed the bug with a CVSS score of 9.9. Because successful exploitation requires authentication, CVE-2024-1800 has a CVSS score of 8.8, as ZDI’s advisory notes.

The critical authentication bypass vulnerability (CVE-2024-4358) was resolved in Telerik Report Server version 2024 Q2 (10.1.24.514). Progress Software says it has not received reports of this flaw being exploited in attacks.

Users are advised to update their instances as soon as possible, as Kheirkhah has published a comprehensive technical writeup of the bug, as well as proof-of-concept (PoC) code targeting it.

*Updated with the correct patched version

Related: Critical Vulnerability in Progress Flowmon Allows Remote Access to Systems

Related: ‘BatBadBut’ Command Injection Vulnerability Affects Multiple Programming Languages

Related: Toward Better Patching — A New Approach with a Dose of AI

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights