Progress has released patches to address a security flaw that may cause unauthorized access on attempted logins. Tracked as CVE-2024-1403, the vulnerability impacts the OpenEdge Authentication Gateway and AdminServer. The vulnerability has been given a critical severity rating with a CVSS score of 9.8.
The OpenEdge Authentication Gateway bridges the gap between OpenEdge and user authentication products such as Lightweight Directory Access Protocol (LDAP), Active Directory (AD), and others.
An OpenEdge AdminServer is a service that manages and configures OpenEdge Management or OpenEdge Explorer. It runs on the server side of a Progress environment and uses a Java-based RMI interface.
Vulnerability Description
A vulnerability in the authentication routines may result in unauthorized access on attempted logins when the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that allows userid and password logins on operating platforms supported by active releases of OpenEdge by using the OS local authentication provider.
Similarly, OpenEdge Explorer (OEE) and OpenEdge Management (OEM) employ the OS local authentication provider on platforms that support it when they establish an AdminServer connection to authorize userid and password logins, which may potentially result in unauthorized login access.
Because the AdminServer logins only support OS local logins, they are always potentially vulnerable. The OEAG is only vulnerable when an administrator has configured an OpenEdge domain to use the OS local authentication provider. Despite variations in selection processes, the AdminServer and the OEAG employ the exact authentication management mechanism for OS local logins. OEAG configured OpenEdge Domains that choose an alternative authentication provider besides OS local account authentication, which are not vulnerable to credential mishandling that leads to unauthorized access.
If specific types of usernames and passwords are not handled correctly, the vulnerability incorrectly returns authentication success from an OE local domain. Some unexpected content in the credentials may allow unauthorized access without the appropriate authentication.
Affected Versions
- OpenEdge Release 11.7.18 and earlier
- OpenEdge Release 12.2.13 and earlier
- OpenEdge Release 12.8.0
Mitigation
- OpenEdge LTS Update 11.7.19
- OpenEdge LTS Update 12.2.14
- OpenEdge LTS Update 12.8.1
For more information, please refer to the Progress Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 731217 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.