DIVD-2024-00023 - Authentication Bypass Vulnerability in Progress Telerik Report Server
| Our reference | DIVD-2024-00023 |
| Case lead | Stan Plasmeijer |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Update your Telerik Report Server to 2024 Q2 (10.1.24.514) |
| Patch status | Released |
| Workaround | Use the URL Rewrite module of IIS to block access to the startup/register functionality. |
| Status | Closed |
| Last modified | 07 Aug 2024 13:50 CEST |
Summary
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, an unauthenticated attacker can exploit an authentication bypass vulnerability to access restricted functionality. This allows the creation of rogue administrator accounts within Telerik Report Server.
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.130) or earlier are vulnerable for a remote code execution attack through an insecure deserialization vulnerability.
Both vulnerabilities combined can lead to an unauthenticated attacker achieving remote code execution on the system, enabling them to take control of the system.
Recommendations
Telerik recommends updating to the latest version of Telerik Report Server, which is 2024 Q2 (10.1.24.514). For updating to the latest version, see this Telerik knowledge base article.
Telerik also recommends reviewing your Report Server’s users list for any new Local users you have not added at {host}/Users/Index.
Mitigation
If updating is not possible at this momemt, there is a temporary mitigation by using the URL Rewrite module of IIS. The steps for the mitigation are as follows:
- The URL Rewrite IIS module is required for this mitigation. If you do not already have it installed, you may download it from here (relaunch IIS Manager after installtion).
- Open IIS Manager and select the Telerik Report Server site.
- Select the URL Rewrite module (see screenshot below for this view). 3.1 Click “Add Rules” 3.2 Choose a ‘Request Blocking’ rule. 3.3 For “Block Access Based On”, select “URL Path” 3.4 For “Pattern”, enter the value: startup/register 3.5 Click OK to save and activate the rule.
What we are doing
DIVD is currently working to identify parties that are running a version of Telerik Report Server that contains this vulnerability and notify these parties. We do this by finding Telerik Report Servers that are connected to the Internet and verifying the version installed.
Timeline
| Date | Description |
|---|---|
| 04 Jun 2024 | DIVD starts researching the vulnerability. |
| 04 Jun 2024 | DIVD finds fingerprint, preparing to scan. |
| 05 Jun 2024 | Case opened, first version of this casefile |
| 05 Jun 2024 | DIVD starts scanning the internet for vulnerable instances. |
| 05 Jun 2024 | DIVD starts notifying network owners with a vulnerable instance in their network. |
| 20 Jun 2024 | DIVD rescans the internet for vulnerable instances |
| 20 Jun 2024 | DIVD starts notifying network owners with a vulnerable instance for the second time |
| 13 Jul 2024 | DIVD rescans the internet for vulnerable instances |
| 13 Jul 2024 | DIVD starts notifying network owners with a vulnerable instance for the third time |
| 13 Jul 2024 | Case closed |
More information
- CVE-2024-4358
- CVE-2024-1800
- Progress Telerik Report Server security advisory for CVE-2024-4358
- Progress Telerik Report Server security advisory for CVE-2024-1800
- Thehackernews news article