Pierluigi Paganini
June 04, 2024
Researchers published a proof-of-concept (PoC) exploit code for an authentication bypass vulnerability on Progress Telerik Report Servers. Telerik Report Server is an end-to-end report management solution developed by Progress® Telerik.
Cybersecurity researcher Sina Kheirkha started his research from an advisory published by Progress for a deserialization issue tracked as CVE-2024-4358 (CVSS score: 9.8). The experts noticed that the exploitation required authentication, so shortly after the release of the patch, he managed to find an authentication bypass. With the help of Soroush Dalili (@irsdl), the expert chained the deserialization issue with an auth bypass to achieve full unauthenticated RCE.
The researchers chained the issue with the deserialization flaw CVE-2024-1800 (CVSS score: 8.8) to execute arbitrary code on vulnerable servers.
⚠️Here is the Exploit Chain targeting Telerik Report Server CVE-2024-4358/CVE-2024-1800 that allows pre-authenticated Remote Code Execution 🩸 by chaining a deserialization 🪲 and an interesting authentication bypass 🔥🔥🔥https://t.co/ZkPL8vggcH pic.twitter.com/Og7n4qRoXN
— SinSinology (@SinSinology) June 3, 2024
An unauthenticated attacker can exploit the flaw to gain access Telerik Report Server restricted functionality via an authentication bypass vulnerability.
The researchers demonstrated how to create an admin account by exploiting the bypass flaw CVE-2024-4358.
“The vulnerability is very simple, the endpoint which is responsible for setting up the server for the first time is accessible unauthenticated even after the admin has finished the setup process.” wrote the expert. “The following method is where the vulnerability occurs Telerik.ReportServer.Web.dll!Telerik.ReportServer.Web.Controllers.StartupController.Register”
An unauthenticated attacker can invoke the Register method and use the received parameters to create a user with the “System Administrator” role.
“This method is available unauthenticated and will use the received parameters to create a user first, and then it will assign the “System Administrator” role to the user, this allows a remote unauthenticated attacker to create an administrator user and login :))))))” continues the expert.
The vulnerability impacts Telerik Report Server 2024 Q1 (10.0.24.305) and earlier and Progress addressed it with the release of Telerik Report Server 2024 Q2 10.1.24.514 on May 15.
“Updating to Report Server 2024 Q2 (10.1.24.514) or later is the only way to remove this vulnerability. The Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.” states the vendor.
The experts urge organizations to update their installs as soon as possible due to the availability of PoC exploit code.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)
