Advisory

June 7, 2024: Authentication Bypass Vulnerability in Progress Telerik Report Server Could Lead to Unauthorized Access of Internal Report Data

June 7, 2024

Tags:

Issue Name and Description: Authentication Bypass vulnerability in Progress Telerik Report Server

Date Published: 2024-05-29
CVE-ID and CVSS Score: CVE-2024-4358 – 9.8 (CRITICAL)
CWE: CWE-290 Authentication Bypass by Spoofing
Asset Description: Telerik Report Server is a server-based report management platform by Progress Software. This issue affects Report Server version 2024 Q1 (10.0.24.305) and earlier running on IIS.

Example Telerik Report Server login page

Vulnerability Impact: If this vulnerability is successfully exploited, an unauthenticated threat actor could potentially gain unauthorized access to the Telerik Report Server with restricted functionality. This could lead to accessing any sensitive report data that’s stored on these servers.
Exploitation Details: A public PoC and technical writeup has been released. This CVE is currently not in CISA KEV.
Patch Availability: Progress Software has stated that upgrading to Report Server 2024 Q2 (10.1.24.514) or later is the only way to remove this vulnerability. Update instructions: https://docs.telerik.com/report-server/implementer-guide/setup/upgrade
Detection with Censys:
- ASM Risk Query for potentially vulnerable Censys-visible public-facing instances of Telerik Report Server: risks.name=“Vulnerable Progress Telerik Report Server [CVE-2024-4358]”
- Search Exposure Query for all Censys-visible public-facing Telerik Report Server gateways: services.software.vendor:“Progress Software” and services.software.product:“Telerik Report Server”
- ASM Exposure Query for all Censys-visible public-facing Telerik Report Server gateways: host.services.software: (vendor:“Progress Software” and product:“Telerik Report Server” ) or (web_entity.instances.software.vendor:“Progress Software” and web_entity.instances.software.product:“Telerik Report Server”)
References:

Products