Global Impact (at time of dissemination)
• 106 hosts affected globally
• 97% of globally affected hosts with an exposed login page
• Four globally affected hosts with exposed file directories
• 46% of globally affected hosts with remote access capabilities
Top affected countries:
1. US
2. UK
3. Germany
4. India
5. Nigeria
Summary
Censys is aware that on March 20, 2024, CVE-2024-1800 was published for a critical insecure deserialization vulnerability in Progress Software’s Telerik Report Server. This vulnerability can be leveraged to gain remote code execution on versions of the asset prior to version 10.0.24.130.
Impact
“Telerik Report Server is a centralized platform that enables companies” to perform reporting functions as well as report “email distribution, and integration with both Active Directory and its authentication systems” (Securityonline). An attacker with remote access and an ability to execute malicious code on such an asset may allow such an attacker to not only interfere with reporting functionality but also to better understand a victim’s network or gain further access leveraging the Active Directory integration. Such an attack can serve as a beachhead, or beginning, on a victim organization for attackers.
Affected Assets
According to the NVD, this issue affects any Progress Telerik Report Server release before version 10.0.24.130.
Censys’ Rapid Response Team was able to identify Telerik Report Servers exposed online. Below are queries that will uncover Telerik Report Servers with versions prior to version 10.0.24.130 that therefore, may be potentially vulnerable, are publicly facing and recently observed from our scans.
Censys ASM Risk Name
Vulnerable Progress Telerik Report Server [CVE-2024-1800]
Censys ASM customers will see this risk applied to affected assets in their workspaces. Those that have signed up for Rapid Response Automated Risk Alerting will be contacted directly regarding affected assets.
Censys ASM Query This query is shared for customers who wish to refine or alter versioning for customized operations.
Censys Search Queries are shared directly with Censys customers. If you would like to obtain the Censys query to identify global instances related to this issue, or need help, please contact us.
Recommendations for remediation
Recommendations from the vendor, Progress Software, state “Updating to Report Server 2024 Q1 (10.0.24.305) or higher is the only way to remove this vulnerability.”