PoC for Progress Telerik RCE chain released (CVE-2024-4358, CVE-2024-1800)
Security researchers have published a proof-of-concept (PoC) exploit that chains together two vulnerabilities (CVE-2024-4358, CVE-2024-1800) to achieve unauthenticated remote code execution on Progress Telerik Report Servers.
Telerik Report Server is a centralized enterprise platform for report creation, management, storage and delivery/distribution.
As noted by Censys earlier this year, “an attacker with remote access and an ability to execute malicious code on such an asset may allow such an attacker to not only interfere with reporting functionality but also to better understand a victim’s network or gain further access leveraging the Active Directory integration. Such an attack can serve as a beachhead, or beginning, on a victim organization for attackers.”
About the vulnerabilities
CVE-2024-1800 is an insecure deserialization vulnerability that allows authenticated remote attackers to execute arbitrary code on vulnerable Telerik installations, i.e., versions prior to 2024 Q1 (v10.0.24.130).
It was reported by an anonymous researcher and fixed earlier this year by Progress Software.
The fact that this vulnerability existed but required successful authentication before getting leveraged was taken as a challenge by vulnerability researcher Sina Kheirkhah of Summoning Team, who looked for – and discovered – a vulnerability (CVE-2024-4358) that can allow attackers to do away with that requirement.
“The specific flaw exists within the implementation of the Register method. The issue results from the lack of validating the current installation step. An attacker can leverage this vulnerability to bypass authentication on the system,” says the Zero Day Initiative advisory.
Or, as Kheirkhah explains more simply: “The endpoint which is responsible for setting up the server for the first time is accessible unauthenticated even after the admin has finished the setup process.”
Both vulnerabilities have been reported to Progress Software through ZDI, and Progress fixed CVE-2024-4358 in May, by releasing Telerik Report Server 2024 Q2 (v10.1.24.514).
With the help from ethical hacker Soroush Dalili, Kheirkhah devised a PoC exploit that triggers CVE-2024-4358 and then CVE-2024-1800. He released it on GitHub on Monday, and published a detailed root cause analysis of CVE-2024-4358.
Upgrade ASAP!
Enterprise admins are advised to upgrade their Telerik installations quickly. While CVE-2024-1800 can only be plugged by updating, the risk of CVE-2024-4358 exploitation can be temporarily mitigated by implementing a URL Rewrite technique (as explained in the advisory).
Progress Software has also advised admins to review their Report Server’s users list for any new Local users they have not added at {host}/Users/Index.
Vulnerability in Progress’ enterprise solutions have been targeted by attackers in the past.
The MOVEit Transfer zero-day (CVE-2023-34362) has been infamously exploited by the Cl0p ransomware gang to steal data of over 2,700 organizations.
Then, late last year, attackers began exploiting two critical vulnerabilities in WS_FTP Server (another Progress secure file transfer solution) just a few days after PoC code for one of them was made public.
UPDATE (June 6, 2024, 06:05 a.m. ET):
The Shadowserver Foundation has spotted CVE-2024-4358 exploitation attempts in their honeypot sensors.