Progress addressed a critical severity vulnerability impacting the Telerik Report Server. Tracked as CVE-2024-6327, the vulnerability has a CVSS score of 9.9. Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code, leading to complete system compromise. The vulnerability originates from an insecure deserialization flaw.
Telerik Report Server is an end-to-end report management solution that helps transform raw data into actionable business insights and then stores and distributes these insights within the business.
Affected Versions
The vulnerability impacts Telerik Report Server versions before 10.1.24.709.
Mitigation
Customers must upgrade to Telerik Report Server version 10.1.24.709 or later to upgrade to vulnerability.
For more information, please refer to the Progress Telerik Security Advisory.
Temporary Mitigation
Users can temporarily mitigate the vulnerability by changing the Report Server Application Pool user to one with limited permissions.
Please refer to the How To Change IIS User for Report Server KB article for more information.
Qualys Detection
Qualys customers will be able to detect if their servers are vulnerable by launching a Qualys (WAS, VM) scan.
Qualys customers can scan their devices with QIDs 731672 and 152046 to detect vulnerable assets.
- QID 731672: Progress Telerik Report Server Insecure Deserialization Vulnerability
- QID 152046: Progress Telerik Report Server Insecure Deserialization Vulnerability (CVE-2024-6327)
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-6327
