Critical security updates released for Telerik Report Server
Progress Software has released updates to fix a significant security flaw in the Telerik Report Server, which could be exploited by remote attackers to bypass authentication and create unauthorized admin users.
This vulnerability, identified as CVE-2024-4358, has a high CVSS score of 9.8/10. According to Progress, versions 2024 Q1 (10.0.24.305) and earlier are affected, allowing unauthenticated attackers to exploit the server through an authentication bypass vulnerability.
The issue has been resolved in version 2024 Q2 (10.1.24.514). Discovered by Sina Kheirkhah of Summoning Team, the flaw was described as a simple bug that could be used by attackers to gain admin access. Progress Software advises users to update to the latest version and review their Report Server’s users list for unauthorized additions. As a temporary measure, users are recommended to apply a URL Rewrite technique to mitigate the risk.
This update follows another recent high-severity flaw, CVE-2024-1800, with a CVSS score of 8.8, which allowed authenticated attackers to execute arbitrary code. Combined, these vulnerabilities could form an exploit chain, bypassing authentication and executing code with elevated privileges. Given the active exploitation of Telerik server vulnerabilities in the past, it is crucial for organizations to have a comprehensive cybersecurity strategy in place to defend against constantly evolving threats, like implementing strong authentication protocols.
