Progress fixes critical RCE flaw in Telerik Report Server, upgrade ASAP! (CVE-2024-6327)
Progress Software has fixed a critical vulnerability (CVE-2024-6327) in its Telerik Report Server solution and is urging users to upgrade as soon as possible.
About CVE-2024-6327 (and CVE-2024-6096)
Telerik Report Server is an enterprise solution for storing, creating, managing and viewing reports in web and desktop applications.
CVE-2024-6327 is an insecure (untrusted data) deserialization vulnerability that may allow attackers to remotely execute code on the underlying server through CVE-2024-6096, an insecure type resolution vulnerability that affects Telerik Reporting, a tool for building reports for and adding them to web and desktop applications.
CVE-2024-6096 allows for an object injection attack. It was reported by Markus Wulftange with CODE WHITE GmbH.
Both vulnerabilities have been fixed, and Progress Software publicly disclosed their existence on Wednesday.
What to do?
Customers have been advised to upgrade to Telerik Reporting 2024 Q2 (v18.1.24.709), as it’s the only way to remove CVE-2024-6096, and to upgrade to Telerik Report Server 2024 Q2 (10.1.24.709) or later to fix CVE-2024-6327.
If the latter action is not possible, Progress Software notes that users “can temporarily mitigate this issue by changing the user for the Report Server Application Pool to one with limited permissions”.
There is no mention of the vulnerabilities being exploited in the wild and there is no known PoC available at the moment, but Progress Software’s solutions are often targeted by attackers.
We all remember the disastrous consequences of ransomware attackers leveraging a zero day in Progress Software’s MOVEit file transfer solution. But before that, various vulnerabilities in the company’s Telerik UI, a popular UI component library for .NET web applications, had been used by attackers to install web shells.
And just last month, the Shadowserver Foundation spotted exploitation attempts for CVE-2024-4358, a vulnerability that, when concatenated with CVE-2024-1800, allowed attackers to achieve unauthenticated remote code execution on Progress Telerik Report Servers.
So upgrade your installations quickly!