Researchers from Horizon3.ai have published technical details and a proof-of-concept (PoC) exploit for the critical security flaw CVE-2024-1403 in Progress Software OpenEdge Authentication Gateway and AdminServer.
“The Progress OpenEdge team recently identified a security vulnerability in OpenEdge Release 11.7.18 and earlier, OpenEdge 12.2.13 and earlier, and OpenEdge 12.8.0. We have addressed the issue and have Updates in OpenEdge LTS Update 11.7.19, 12.2.14 and 12.8.1.” reads the advisory. “When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, a vulnerability in the authentication routines may lead to unauthorized access on attempted logins.” “Similarly, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also utilizes the OS local authentication provider on supported platforms to grant user-id and password logins that may also lead to unauthorized login access.”
The vulnerability CVE-2024-1403 (CVSS score 10) is an authentication bypass issue that impacts OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.
Horizon3.ai researchers explained that they were not able to acquire a patched system to perform patch diffing. However, they focused on the analysis of the details included in the advisory. It highlights, ‘The AdminServer logins are always potentially vulnerable because they only support OS local logins.’ Then the researchers performed a reverse engineering of the AdminServer Service.
“Inspecting the class, we find that when a remote connection is made the connect()
method is called and expects a user supplied username and password.” reads the analysis published by Horizon3.ai.
“The connect() method interestingly loads a native system library, auth.dll, and eventually calls the authorizeUser() method defined in it. Replacing auth.dll was mentioned in the temporary mitigations so we’re likely on the right track.”
The authorizeUser() function is used to conduct primary input validation by verifying provided credentials before transferring the control to a function named vulnerable_checks().
The researchers noticed that the user-supplied AccountName (username) is compared to NT AUTHORITY/SYSTEM. If a match occurs, authentication is granted.
“While we’ve bypassed authentication, finding attack surface to abuse to drive some impact like remote code execution was the next goal.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Progress Software OpenEdge Authentication Gateway and AdminServer)