Critical Exploit Unveiled for Progress Telerik: Immediate Patch Required

June 3, 2024

Researchers have released a proof-of-concept (PoC) exploit showcasing a combined remote code execution (RCE) vulnerability in Progress Telerik Report Servers. These servers offer an encrypted report management solution that many organizations utilize to simplify the creation, sharing, storage, distribution, and scheduling of reports.

The exploit was developed by cybersecurity researcher Sina Kheirkha, with assistance from Soroush Dalili. It demonstrates how to exploit two vulnerabilities—an authentication bypass and a deserialization issue—to execute code on the target. The authentication bypass vulnerability is identified as CVE-2024-4358 and has a CVSS score of 9.8. It allows for the creation of admin accounts without any checks.

Kheirkhah decided to investigate the vulnerability after the software vendor disclosed a bug on April 25 related to a deserialization issue that required a 'low privilege' user to exploit. The researcher found that the 'Register' method in the 'StartupController' was accessible without authentication, enabling the creation of an admin account even after the initial setup was complete. This issue was resolved through an update (Telerik Report Server 2024 Q2 10.1.24.514) released on May 15, and a bulletin was published with the ZDI team on May 31.

The second flaw needed for achieving RCE is CVE-2024-1800, with a CVSS score of 8.8. This deserialization issue allows remote authenticated attackers to execute arbitrary code on vulnerable servers. An attacker can send a specially designed XML payload with a 'ResourceDictionary' element to Telerik Report Server's custom deserializer, which employs a complex mechanism to convert XML elements into .NET types. The payload's special element then uses the 'ObjectDataProvider' class to execute arbitrary commands on the server, such as launching 'cmd.exe.'

Even though the deserialization bug is complex to exploit, Kheirkhah's detailed write-up and Python script exploit are publicly available, simplifying the process for potential attackers. Therefore, organizations are urged to apply the available updates immediately, i.e., upgrade to version 10.1.24.514 or later, which resolves both vulnerabilities. The vendor also recommends system administrators to review their Report Server's users list for any unfamiliar new Local users at '{host}/Users/Index.'

It's worth noting that critical vulnerabilities in Progress Software are rarely overlooked by high-level cybercriminals, given the widespread use of the vendor's products by organizations globally. A notable example is the large-scale data theft attacks exploiting a zero-day vulnerability in the Progress MOVEit Transfer platform by the Clop ransomware gang in March 2023. This operation ended up being one of the most extensive and impactful extortion operations in history, claiming over 2,770 victims and indirectly affecting nearly 96 million people.

Latest News

• CISA Alerts on Actively Exploited Linux Kernel Vulnerability
• FlyingYeti Uses WinRAR Flaw to Deploy COOKBOX Malware in Ukraine
• Check Point VPN Zero-Day Vulnerability Exploited in Recent Cyber Attacks
• Emergency Patch Released by Check Point for VPN Zero-Day Exploited in Recent Attacks
• Critical Fortinet RCE Bug Exploit Released: Immediate Patching Required