Progress Software warns of OpenEdge Authentication Gateway critical vulnerability

A critical security vulnerability has been reported in Progress Software's OpenEdge Authentication Gateway and AdminServer, potentially allowing attackers to bypass authentication measures.

The flaw, tracked as CVE-2024-1403 (CVSS score 10) occurrs when the OpenEdge Authentication Gateway (OEAG) is set up with an OpenEdge Domain that employs the operating system's local authentication provider for user ID and password logins. A similar risk is present when connections to the AdminServer are established through OpenEdge Explorer (OEE) and OpenEdge Management (OEM), utilizing the OS local authentication provider to authenticate.

According to Progress Software, this vulnerability is due to the system incorrectly signaling authentication success for OpenEdge local domain logins when it encounters unexpected types of usernames and passwords, enabling unauthorized access without proper authentication credentials.

The vulnerability affects OpenEdge versions up to 11.7.18, 12.2.13, and the 12.8.0 release. This issue has been resolved in the newer OpenEdge LTS Update versions 11.7.19, 12.2.14, and 12.8.1.

Technical details and a Proof-of-Concept (PoC) exploit have been released by Horizon3.ai, which managed to reverse-engineer the vulnerable AdminServer service.

Security researcher Zach Hanley indicated that while initially, the vulnerability seems to offer an opportunity for attackers to deploy new applications via remote WAR file references, exploiting this flaw to reach deeper attack surfaces would require considerable effort due to the implementation of internal service message brokers and custom messages. Nonetheless, Hanley suggests that there might be potential for remote code execution through the system's built-in functionality with enough research effort.