Researchers published a proof-of-concept (PoC) exploit code for an authentication bypass vulnerability on Progress Telerik Report Servers. Telerik Report Server is an end-to-end report management solution developed by Progress® Telerik.
Cybersecurity researcher Sina Kheirkha started his research from an published by Progress for a deserialization issue tracked as (CVSS score: 9.8). The experts noticed that the exploitation required authentication, so shortly after the release of the patch, he managed to find an authentication bypass. With the help of , the expert chained the deserialization issue with an auth bypass to achieve full unauthenticated RCE.
The researchers chained the issue with the deserialization flaw (CVSS score: 8.8) to execute arbitrary code on vulnerable servers.
An unauthenticated attacker can exploit the flaw to gain access Telerik Report Server restricted functionality via an authentication bypass vulnerability.
The researchers demonstrated how to create an admin account by exploiting the bypass flaw .
“The vulnerability is very simple, the endpoint which is responsible for setting up the server for the first time is accessible unauthenticated even after the admin has finished the setup process.” wrote the expert. “The following method is where the vulnerability occurs Telerik.ReportServer.Web.dll!Telerik.ReportServer.Web.Controllers.StartupController.Register”
An unauthenticated attacker can invoke the Register method and use the received parameters to create a user with the “System Administrator” role.
“This method is available unauthenticated and will use the received parameters to create a user first, and then it will assign the “System Administrator” role to the user, this allows a remote unauthenticated attacker to create an administrator user and login :))))))” continues the expert.
The vulnerability impacts Telerik Report Server 2024 Q1 (10.0.24.305) and earlier and Progress addressed it with the release of Telerik Report Server on May 15.
“Updating to Report Server 2024 Q2 (10.1.24.514) or later is the only way to remove this vulnerability. The Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.” .
The experts urge organizations to update their installs as soon as possible due to the availability of PoC exploit code.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, RCE)