Introduction to Discovered Vulnerabilities
On May 31, security researcher Sina Kheirkhah from the Summoning Team announced the discovery of an exploit chain involving two vulnerabilities in Progress Telerik Report Server. This report management solution was found to be susceptible to remote code execution (RCE) through a combination of these flaws. By June 3, Kheirkhah, along with security researcher Soroush Dalili, published a detailed blog post on how these vulnerabilities were chained together to achieve full RCE.
Understanding these RCE Vulnerabilities
The first vulnerability, CVE-2024-1800, is an insecure deserialization issue in the ObjectReader class of the Telerik Report Server. The flaw arises from improper validation of user-supplied input, allowing an attacker to execute code as the system user. Initially, the vendor scored this vulnerability with a CVSS score of 9.9, while Trend Micro’s Zero Day Initiative (ZDI) suggested a slightly lower score of 8.8, requiring a low privileged user for exploitation.
The second vulnerability, CVE-2024-4358, is an authentication bypass issue. This flaw exists due to a lack of validation during the installation step in the register method. Both the vendor and ZDI assigned this vulnerability a CVSS score of 9.8. The endpoint used for setting up the server lacks authentication, enabling attackers to access it even after the admin has completed the setup process.
Chaining Vulnerabilities for Remote Code Execution
By combining the authentication bypass flaw (CVE-2024-4358) with the insecure deserialization vulnerability (CVE-2024-1800), an attacker can create a malicious report and execute arbitrary code on the vulnerable server. This exploit chain highlights the critical need for immediate patching. Historical exploitation of similar flaws in other Progress products, like MOVEit Transfer (CVE-2023-34362), indicates a high likelihood of exploit-related activity in the near future.
Proof of Concept and Mitigation
A proof-of-concept (PoC) script was published to GitHub on June 3, demonstrating the exploit chain. To mitigate these vulnerabilities, it is essential to update to the latest version of Progress Telerik Report Server. CVE-2024-1800 was addressed in Report Server 2024 Q1 (10.0.24.305), while CVE-2024-4358 was fixed in Report Server 2024 Q2 (10.1.24.514), which addresses both flaws.
Conclusion
Given the critical nature of these vulnerabilities, immediate action is necessary to protect systems from potential exploitation. Ensure your Progress Telerik Report Server is up to date by applying the latest patches.
