A critical-severity vulnerability in Progress Software’s Telerik Report Server could allow remote attackers to bypass authentication and create an administrator user, vulnerability researcher Sina Kheirkhah explains.
Tracked as CVE-2024-4358 (CVSS score of 9.8), the bug exists because the endpoint responsible for setting up the server allows unauthenticated connections even after the setup process has been completed.
“The specific flaw exists within the implementation of the Register method. The issue results from the lack of validating the current installation step. An attacker can leverage this vulnerability to bypass authentication on the system,” a Zero Day Initiative (ZDI) advisory reads.
According to Kheirkhah, because the method is accessible without authentication, an attacker can supply specific parameters to create a user account that is assigned the ‘System Administrator’ role.
“This allows a remote unauthenticated attacker to create an administrator user and login,” Kheirkhah underlines.
Once the authentication has been bypassed, the attacker can exploit a recently addressed insecure deserialization issue in the Telerik Report Server to achieve remote code execution (RCE), the researcher explains.
Remotely exploitable, the deserialization flaw, tracked as CVE-2024-1800, was addressed in Report Server version 2024 Q1 (10.0.24.130).
“The specific flaw exists within the ObjectReader class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of System,” a ZDI advisory reads.
As Kheirkhah points out, Progress Software incorrectly assessed the bug with a CVSS score of 9.9. Because successful exploitation requires authentication, CVE-2024-1800 has a CVSS score of 8.8, as ZDI’s advisory notes.
The critical authentication bypass vulnerability (CVE-2024-4358) was resolved in Telerik Report Server version 2024 Q2 (10.1.24.514). Progress Software says it has not received reports of this flaw being exploited in attacks.
Users are advised to update their instances as soon as possible, as Kheirkhah has published a comprehensive technical writeup of the bug, as well as proof-of-concept (PoC) code targeting it.
*Updated with the correct patched version
Related: Critical Vulnerability in Progress Flowmon Allows Remote Access to Systems
Related: ‘BatBadBut’ Command Injection Vulnerability Affects Multiple Programming Languages
Related: Toward Better Patching — A New Approach with a Dose of AI
