Progress Software has released updates to address a critical security flaw affecting Telerik’s Report Server, which could potentially be exploited by a remote attacker to bypass authentication and create fraudulent admin users. The vulnerability, identified as CVE-2024-4358, has a CVSS score of 9.8 out of 10.0.
According to the company, «In Progress Telerik Report Server version 2024 Q1 (10.0.24.305) or earlier, an unauthenticated attacker can access restricted functionality through an authentication bypass vulnerability in IIS.»
The flaw has been addressed in Report Server 2024 Q2 (10.1.24.514). Summoning Team’s Sina Kheirkhah, credited with discovering and reporting the flaw, described it as a «very straightforward» issue that could be exploited by an «unauthenticated remote attacker to create an admin user and log in.»
In addition to updating to the latest version, Progress Software urges customers to review the list of Report Server users for the presence of new local users they haven’t added.
As temporary fixes until patches can be applied, users are advised to implement a URL rewrite mitigation technique to eliminate the attack surface on the Internet Information Services (IIS) server.
This development comes just over a month after Progress addressed another high-severity flaw affecting Telerik’s Report Server (CVE-2024-1800, CVSS score: 8.8), which required a remote authenticated attacker to execute arbitrary code on the affected installations.
In a hypothetical attack scenario, a malicious actor could combine CVE-2024-4358 and CVE-2024-1800 in an exploitation chain to bypass authentication and execute arbitrary code with elevated privileges.
Given the history of threat actors actively exploiting vulnerabilities in Telerik servers, it is crucial for users to take steps to update to the latest version as soon as possible to mitigate potential threats.
Vía The Hacker News
