www.belgium.be Logo of the federal government

WARNING: CRITICAL AND HIGH VULNERABILITIES IN PROGRESS TELERIK CAN BE EXPLOITED TO EXECUTE CODE. PATCH IMMEDIATELY!

Référence: 
Advisory #2024-61
Version: 
2.0
Logiciels concernés : 
Progress Telerik Reporting
Progress Telerik Report Server
Type: 
Code Execution, Authentication Bypass
CVE/CVSS: 

CVE-2024-1800
CVSS: 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-1801
CVSS: 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L)

CVE-2024-1856
CVSS: 8.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-4358 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

 

Sources

https://docs.telerik.com/reporting/knowledge-base/deserialization-vulnerability-cve-2024-1801-cve-2024-1856
https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-1800
https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358

Risques

On 20 March 2024 Progress disclosed 3 vulnerabilities in Progress Telerik Reporting and Progress Telerik Report Server (CVE-2024-1800, CVE-2024-1801 and CVE-2024-1856).Another vulnerability (CVE-2024-4358) was disclosed later on 31 May 2024, which also affects Progress Telerik Report Server.

However, a detailed write-up and an exploit script are freely available. With these, threat actors can be quick to weaponize and exploit these vulnerabilities. In this write-up, two vulnerabilities (CVE-2024-4358 and CVE-2024-1800) are chained to bypass authentication and achieve remote code execution.

 

software in the past. It is the case for instance of Cl0p ransomware, which compromised over 2.300 organizations using a vulnerability (CVE-2023-34362) in Progress MOVEit[1].

Exploitation of these vulnerabilities have a high impact on confidentiality, and a low to high impact on integrity and availability depending on the precise vulnerability being exploited. 

 

Description

CVE-2024-1856 and CVE-2024-1801 are both insecure deserialization vulnerabilities in Progress Telerik Reporting. Exploitation of any of these vulnerabilities could enable an attacker to execute code. CVE-2024-1801 can be exploited by a local attacker. In the case of CVE-2024-1856, a remote attacker could successfully exploit it under a special set of circumstances in a misconfigured web application.

A detailed write-up and an exploit script are freely available for two vulnerabilities (CVE-2024-4358 and CVE-2024-1800). In this write-up, both are chained to bypass authentication and achieve remote code execution.

CVE-2024-4358 is an authentication bypass vulnerability in Progress Telerik Report Server. By successfully exploiting this vulnerability, a remote unauthenticated attacker can gain access to Telerik Report Server restricted functionality.

 

CVE-2024-1800 is an insecure deserialization vulnerability. If successfully exploited, a remote attacker could perform remote code execution.

Actions recommandées

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Please note Progress Telerik specifically reported that upgrading to the latest version   (10.1.24.514) is the only way to remove these vulnerabilities. 

Mitigation

Progress Telerik published a temporary mitigation for CVE-2024-4358.

If upgrading the Report Server instance(s) is not an immediate option, Progress Telerik strongly recommends implementing a URL Rewrite mitigation technique to remove the attack surface in IIS:

  1. The URL Rewrite IIS module is required for this mitigation. If you do not already have it installed, you may download it from here (relaunch IIS Manager after installtion).
  2. Open IIS Manager and select the Telerik Report Server site.
  3. Select the URL Rewrite module (see screenshot below for this view).
    1. Click “Add Rules”
    2. Choose a ‘Request Blocking’ rule.
    3. For “Block Access Based On”, select “URL Path”
    4. For “Pattern”, enter the value: startup/register
    5. Click OK to save and activate the rule.

Do not add a URL Rewrite rule until after Report Server has been fully installed and configured, as this rule blocks traffic to the initial setup functionality.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

Please note Progress Telerik recommends reviewing your Report Server’s users list for any new Local users that was not added by you. You can find that list at  {host}/Users/Index.

 

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Références

https://www.cybersecuritydive.com/news/progress-software-moveit-meltdown/703659/#:~:text=Clop%2C%20a%20highly%20prolific%2C%20financially,from%20the%20file%2Dtransfer%20service