Progress Software has rolled out updates to address a critical security flaw impacting the Telerik Report Server that could be potentially exploited by a remote attacker to bypass authentication and create rogue administrator users.
The issue, tracked as CVE-2024-4358, carries a CVSS score of 9.8 out of a maximum of 10.0.
“In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability,” the company said in an advisory.
The shortcoming has been addressed in Report Server 2024 Q2 (10.1.24.514). Sina Kheirkhah of Summoning Team, who is credited with discovering and reporting the flaw, described it as a “very simple” bug that could be exploited by a “remote unauthenticated attacker to create an administrator user and login.”
Besides updating to the latest version, Progress Software is urging customers to review their Report Server’s users list for the presence of any new Local users that they may have not added.
As temporary workarounds until the patches can be applied, users are being asked to implement a URL Rewrite mitigation technique to remove the attack surface in the Internet Information Services (IIS) server.
The development arrives a little over a month after Progress remediated another high-severity flaw impacting the Telerik Report Server (CVE-2024-1800, CVSS score: 8.8) that requires an authenticated remote attacker to execute arbitrary code on affected installations.
In a hypothetical attack scenario, a malicious actor could fashion CVE-2024-4358 and CVE-2024-1800 into an exploit chain in order to sidestep authentication and execute arbitrary code with elevated privileges.
With vulnerabilities in Telerik servers actively exploited by threat actors in the past, it’s imperative that users take steps to update to the latest version as soon as possible to mitigate potential threats.