Tomcat
Professional
- Messages
- 2,688
- Reaction score
- 1,015
- Points
- 113
Two critical vulnerabilities allow hackers to take over your network without much effort.
Cybersecurity researchers have published a PoC exploit demonstrating a chain of remote code execution (RCE) vulnerabilities in Progress Software's Telerik Report Server.
Telerik Report Server is a complete API-based encrypted report management solution that organizations use to create, share, store, distribute, and schedule reports.
A researcher named Sina Kheirha, with the assistance of a colleague on the shop Sorush Dalili, developed exploits and published a detailed description of how to exploit two vulnerabilities at once: authentication bypass and deserialization problems.
The authentication bypass vulnerability, tracked as CVE-2024-4358 with a CVSS rating of 9.8, allows you to create administrator accounts without checks. Heirha discovered that the "Register" method in "StartupController" is available without authentication, which allows you to create administrator accounts immediately after completing the initial configuration.
This issue was fixed in the Telerik Report Server 2024 Q2 update 10.1.24.514 on May 15, and a security bulletin from the Zero Day Initiative (ZDI) team was published on May 31.
The second vulnerability, CVE-2024-1800 with a CVSS rating of 8.8, allows remote authenticated attackers to execute arbitrary code on vulnerable servers. The problem was discovered earlier and reported to the vendor by an anonymous researcher.
Using this vulnerability, a potential attacker can send a specially generated XML packet with the "ResourceDictionary" element to the custom Telerik Report Server deserializer, which converts XML elements to .NET types. The special element in the package then uses the "ObjectDataProvider" class to execute arbitrary commands on the server, for example, to run "cmd.exe".
The security update was released on March 7, 2024 in Telerik Report Server 2024 Q1 version 10.0.24.305.
Although exploiting the deserialization vulnerability is complex, the description and Python script from Heirha make the attack fairly clear to potential attackers. This is why organizations are encouraged to apply the available updates as soon as possible, i.e. upgrade to version 10.1.24.514 or higher, which address both vulnerabilities.
Administrators are also encouraged to check the list of users for new accounts added at"{host}/Users/Index", as no cases of active exploitation of CVE-2024-4358 have been recorded yet.
Critical vulnerabilities in Progress Software products are rarely ignored by highly skilled cybercriminals. A striking example is the large-scale attacks of the Clop group, which exploited the zero-day vulnerability in the MOVEit Transfer platform. This malicious campaign affected more than 2,770 victims and indirectly affected almost 96 million people, becoming one of the largest extortion operations in history.
Cybersecurity researchers have published a PoC exploit demonstrating a chain of remote code execution (RCE) vulnerabilities in Progress Software's Telerik Report Server.
Telerik Report Server is a complete API-based encrypted report management solution that organizations use to create, share, store, distribute, and schedule reports.
A researcher named Sina Kheirha, with the assistance of a colleague on the shop Sorush Dalili, developed exploits and published a detailed description of how to exploit two vulnerabilities at once: authentication bypass and deserialization problems.
The authentication bypass vulnerability, tracked as CVE-2024-4358 with a CVSS rating of 9.8, allows you to create administrator accounts without checks. Heirha discovered that the "Register" method in "StartupController" is available without authentication, which allows you to create administrator accounts immediately after completing the initial configuration.
This issue was fixed in the Telerik Report Server 2024 Q2 update 10.1.24.514 on May 15, and a security bulletin from the Zero Day Initiative (ZDI) team was published on May 31.
The second vulnerability, CVE-2024-1800 with a CVSS rating of 8.8, allows remote authenticated attackers to execute arbitrary code on vulnerable servers. The problem was discovered earlier and reported to the vendor by an anonymous researcher.
Using this vulnerability, a potential attacker can send a specially generated XML packet with the "ResourceDictionary" element to the custom Telerik Report Server deserializer, which converts XML elements to .NET types. The special element in the package then uses the "ObjectDataProvider" class to execute arbitrary commands on the server, for example, to run "cmd.exe".
The security update was released on March 7, 2024 in Telerik Report Server 2024 Q1 version 10.0.24.305.
Although exploiting the deserialization vulnerability is complex, the description and Python script from Heirha make the attack fairly clear to potential attackers. This is why organizations are encouraged to apply the available updates as soon as possible, i.e. upgrade to version 10.1.24.514 or higher, which address both vulnerabilities.
Administrators are also encouraged to check the list of users for new accounts added at"{host}/Users/Index", as no cases of active exploitation of CVE-2024-4358 have been recorded yet.
Critical vulnerabilities in Progress Software products are rarely ignored by highly skilled cybercriminals. A striking example is the large-scale attacks of the Clop group, which exploited the zero-day vulnerability in the MOVEit Transfer platform. This malicious campaign affected more than 2,770 victims and indirectly affected almost 96 million people, becoming one of the largest extortion operations in history.
