A security researcher at Trend Micro Zero Day Initiative discovered a vulnerability in the Progress Telerik Report Server. CVE-2024-4358 is a critical severity vulnerability allowing an unauthenticated, remote attacker to bypass security restrictions and gain access to Telerik Report server-restricted functionality.
The security researcher who discovered the vulnerability released a PoC explaining the method of exploitation. The write-up explains that the exploitation is possible by combining two flaws, an authentication bypass and a deserialization flaw (CVE-2024-1800), to perform code execution on the target. CVE-2024-1800 was patched by the vendor earlier this year.
The researcher mentioned in his blog that he discovered the vulnerability after the vendor released a patch to address a deserialization flaw that required a low-privilege user to exploit.
CISA acknowledged the active exploitation of CVE-2024-4358 by adding it to its Known Exploited Vulnerabilities Catalog and requesting users patch the flaw before July 4, 2024.
Telerik Report Server is an end-to-end report management solution that helps transform raw data into actionable business insights and then stores and distributes these insights within the business.
Exploitation Analysis
The Zero Day Initiative advisory informs that CVE-2024-4358 exists within the implementation of the Register method, originating from the lack of validation of the current installation step. The Register method exists in the StartupController. It can be accessed without authentication, allowing an attacker to create an admin account even after the completion of the initial setup.
The second flaw required for performing remote code execution is a deserialization flaw (CVE-2024-1800) that allows remote authenticated attackers to execute arbitrary code.
The CVE-2024-1800 was discovered earlier and addressed by the vendor on March 7, 2024, in the Telerik Report Server 2024 Q1 10.0.24.305.
To exploit the vulnerability, an attacker may send a specially crafted XML payload with a ResourceDictionary element to the Telerik Report Server’s custom deserializer, which uses a complex mechanism to resolve XML elements into .NET types.
The element in the payload then uses the ObjectDataProvider class to execute arbitrary commands on the server, such as launching cmd.exe.
Affected Versions
The vulnerability impacts Telerik Report Server version 2024 Q1 (10.0.24.305) and prior.
Mitigation
Customers must upgrade to Telerik Report Server version 2024 Q2 (10.1.24.514) or later to patch the vulnerability.
For more information, please refer to the Progress Telerik Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 731570 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://github.com/sinsinology/CVE-2024-4358
https://www.zerodayinitiative.com/advisories/ZDI-24-561/
https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/
https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358