Skip to the content.

DIVD-2024-00023 - Authentication Bypass Vulnerability in Progress Telerik Report Server

Our reference DIVD-2024-00023
Case lead Stan Plasmeijer
Researcher(s)
CVE(s)
Products
  • Telerik Report Server
Versions
  • version 2024 Q1 (10.0.24.305) or earlier
Recommendation Update your Telerik Report Server to 2024 Q2 (10.1.24.514)
Patch status Released
Workaround Use the URL Rewrite module of IIS to block access to the startup/register functionality.
Status Closed
Last modified 07 Aug 2024 13:50 CEST

Summary

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, an unauthenticated attacker can exploit an authentication bypass vulnerability to access restricted functionality. This allows the creation of rogue administrator accounts within Telerik Report Server.

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.130) or earlier are vulnerable for a remote code execution attack through an insecure deserialization vulnerability.

Both vulnerabilities combined can lead to an unauthenticated attacker achieving remote code execution on the system, enabling them to take control of the system.

Recommendations

Telerik recommends updating to the latest version of Telerik Report Server, which is 2024 Q2 (10.1.24.514). For updating to the latest version, see this Telerik knowledge base article.

Telerik also recommends reviewing your Report Server’s users list for any new Local users you have not added at {host}/Users/Index.

Mitigation

If updating is not possible at this momemt, there is a temporary mitigation by using the URL Rewrite module of IIS. The steps for the mitigation are as follows:

  1. The URL Rewrite IIS module is required for this mitigation. If you do not already have it installed, you may download it from here (relaunch IIS Manager after installtion).
  2. Open IIS Manager and select the Telerik Report Server site.
  3. Select the URL Rewrite module (see screenshot below for this view). 3.1 Click “Add Rules” 3.2 Choose a ‘Request Blocking’ rule. 3.3 For “Block Access Based On”, select “URL Path” 3.4 For “Pattern”, enter the value: startup/register 3.5 Click OK to save and activate the rule.

What we are doing

DIVD is currently working to identify parties that are running a version of Telerik Report Server that contains this vulnerability and notify these parties. We do this by finding Telerik Report Servers that are connected to the Internet and verifying the version installed.

Timeline

Date Description
04 Jun 2024 DIVD starts researching the vulnerability.
04 Jun 2024 DIVD finds fingerprint, preparing to scan.
05 Jun 2024 Case opened, first version of this casefile
05 Jun 2024 DIVD starts scanning the internet for vulnerable instances.
05 Jun 2024 DIVD starts notifying network owners with a vulnerable instance in their network.
20 Jun 2024 DIVD rescans the internet for vulnerable instances
20 Jun 2024 DIVD starts notifying network owners with a vulnerable instance for the second time
13 Jul 2024 DIVD rescans the internet for vulnerable instances
13 Jul 2024 DIVD starts notifying network owners with a vulnerable instance for the third time
13 Jul 2024 Case closed
gantt title DIVD-2024-00023 - Authentication Bypass Vulnerability in Progress Telerik Report Server dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00023 - Authentication Bypass Vulnerability in Progress Telerik Report Server (39 days) :2024-06-04, 2024-07-13 section Events DIVD starts researching the vulnerability. : milestone, 2024-06-04, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-06-04, 0d Case opened, first version of this casefile : milestone, 2024-06-05, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-06-05, 0d DIVD starts notifying network owners with a vulnerable instance in their network. : milestone, 2024-06-05, 0d DIVD rescans the internet for vulnerable instances : milestone, 2024-06-20, 0d DIVD starts notifying network owners with a vulnerable instance for the second time : milestone, 2024-06-20, 0d DIVD rescans the internet for vulnerable instances : milestone, 2024-07-13, 0d DIVD starts notifying network owners with a vulnerable instance for the third time : milestone, 2024-07-13, 0d Case closed : milestone, 2024-07-13, 0d

More information