Progress Software program has rolled out updates to deal with a important safety flaw impacting the Telerik Report Server that could possibly be doubtlessly exploited by a distant attacker to bypass authentication and create rogue administrator customers.
The problem, tracked as CVE-2024-4358, carries a CVSS rating of 9.8 out of a most of 10.0.
“In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability,” the corporate mentioned in an advisory.
The shortcoming has been addressed in Report Server 2024 Q2 (10.1.24.514). Sina Kheirkhah of Summoning Crew, who’s credited with discovering and reporting the flaw, described it as a “very simple” bug that could possibly be exploited by a “remote unauthenticated attacker to create an administrator user and login.”
Moreover updating to the newest model, Progress Software program is urging clients to overview their Report Server’s customers listing for the presence of any new Native customers that they might haven’t added.
As momentary workarounds till the patches could be utilized, customers are being requested to implement a URL Rewrite mitigation approach to take away the assault floor within the Web Info Providers (IIS) server.
The event arrives a little bit over a month after Progress remediated one other high-severity flaw impacting the Telerik Report Server (CVE-2024-1800, CVSS rating: 8.8) that requires an authenticated distant attacker to execute arbitrary code on affected installations.
In a hypothetical assault situation, a malicious actor may vogue CVE-2024-4358 and CVE-2024-1800 into an exploit chain with the intention to sidestep authentication and execute arbitrary code with elevated privileges.
With vulnerabilities in Telerik servers actively exploited by risk actors prior to now, it is crucial that customers take steps to replace to the newest model as quickly as attainable to mitigate potential threats.
