Progress Telerik fixes critical auth bypass flaw, PoC published - patch now

Progress Telerik has issued patches for critical security vulnerabilities affecting its Report Server. Telerik is a suite of development tools designed to help developers create applications for web, mobile, and desktop environments.

The critical flaws are:

1. CVE-2024-4358 (CVSS score: 9.8): Authentication Bypass that allows the creation of admin accounts without proper checks. The 'Register' method in the 'StartupController' was found to be accessible without authentication, enabling the creation of admin accounts even after the initial setup. The patch was released on May 15, 2024 (Telerik Report Server 2024 Q2 10.1.24.514).

2. CVE-2024-1800 (CVSS score: 9.9): Deserialization Issue that permits remote authenticated attackers to execute arbitrary code. An attacker can send a specially crafted XML payload with a 'ResourceDictionary' element to the server's custom deserializer, which then executes arbitrary commands such as launching 'cmd.exe'. The patch was released on March 7, 2024 (Telerik Report Server 2024 Q1 10.0.24.305).

Since there is a released proof-of-concept (PoC) exploit demonstrating a chained remote code execution (RCE) vulnerability, patching is now an urgent matter.

The published PoC exploit combines these two vulnerabilities to achieve remote code execution on the target system. Despite the complexity of exploiting the deserialization issue, the availability of a detailed write-up and Python script simplifies the process for potential attackers.

Organizations using Telerik Report Server should upgrade to version 10.1.24.514 or later to mitigate these vulnerabilities. Additionally, administrators are advised to:

• Check for Unauthorized Accounts: Review the user list for any unfamiliar local users added via {host}/Users/Index.
• Apply Security Updates: Ensure all security patches from Progress Telerik are promptly applied to prevent exploitation.