Telerik Report Server Flaw Let Remote Attackers Bypass Authentication


Progress-owned Telerik Report Server addressed two vulnerabilities in its system, which were associated with Authentication bypass and Insecure Deserialization.

To add a note, the insecure deserialization was marked as 9.9 (Critical) instead of 8.8 (High), which was the original severity of the vulnerability.

However, the Authentication bypass had a severity of 9.8 (Critical), which allowed threat actors to bypass authentication on the affected installations of the Progress Software Telerik Reporting. 

The CVEs for these vulnerabilities were given as CVE-2024-4358 (Authentication Bypass) and CVE-2024-1800 (Insecure Deserialization of Untrusted Data leading to Remote Code Execution).

Nevertheless, researchers have discovered a new technique to combine both of these vulnerabilities, which could create a system administrator account on affected installations.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Technical Analysis – CVE-2024-4358/CVE-2024-1800

According to the reports shared, this vulnerability existed due to the “Register” method, which is available unauthenticated and can use received parameters to create a user with “system administrator” privileges. 

It was also mentioned that this vulnerability resembled the recently disclosed ConnectWise ScreenConnect Authentication bypass vulnerability, which allowed unauthenticated users to create a system administrator account on affected installations.

However, this vulnerability existed as there was no check to prevent unauthenticated users from accessing this endpoint after setting up the Telerik Report Server.

In addition, once authenticated into the server, a threat actor can use the deserialization of an untrusted data vulnerability to achieve full Remote code execution on the affected server.

Moreover, a proof of concept for this vulnerability has also been published.

Researchers who discovered this vulnerability also stated that the Telerik Report server processes all of the data on the server side.

Further, the server reporting feature was the initial stage of analysis, which led to several other methods and functions.

Progress Telerik Report Server (Source: Summoning Team)

Telerik report server uses IsSupportedExtension method which returns true only if the extension of the file is either .trdp or .trbp which is then allowed to hit Unpackagedocument where all the array of bytes are converted to well known .NET MemoryStream.

Further, the insecure deserialization occurs in ReportXmlSerializer (), which has the vulnerable Deserialize () constructor. The Summoning Team has published a complete report about this vulnerability and an explanation of functions.

ReportXmlSerializer () function (Source: Summoning Team)

In addition to this, researchers have published proof of concept code on GitHub.

It is recommended that users of the Progress Telerik Report Server upgrade their software to the latest versions to prevent threat actors from exploiting these vulnerabilities.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 



Source link