Progress Software has put out patches to fix a significant security hole affecting the Telerik Report Server that may be potentially exploited by a remote attacker to circumvent authentication and establish rogue administrator accounts.
The bug, listed as CVE-2024-4358, receives a CVSS score of 9.8 out of a maximum of 10.0.
"In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability," the firm noted in an alert.
The problem has been fixed in Report Server 2024 Q2 (10.1.24.514). Sina Kheirkhah of Summoning Team, who is credited with identifying and reporting the issue, characterized it as a "very simple" fault that could be exploited by a "remote unauthenticated attacker to create an administrator user and login."
Besides upgrading to the newest version, Progress Software is recommending customers to examine their Report Server's users list for the existence of any new Local users that they may have not added.
As interim remedies until the fixes can be deployed, customers are being urged to adopt a URL Rewrite mitigation approach to reduce the attack surface in the Internet Information Services (IIS) server.
The discovery came a little over a month after Progress remediated another high-severity hole hitting the Telerik Report Server (CVE-2024-1800, CVSS score: 8.8) that allowed an authorized remote attacker to execute arbitrary code on vulnerable installations.
In a hypothetical attack scenario, a hostile actor might design CVE-2024-4358 and CVE-2024-1800 into an exploit chain in order to skip authentication and execute arbitrary code with elevated privileges.
With vulnerabilities in Telerik servers extensively exploited by threat actors in the past, it's vital that users take efforts to upgrade to the current version as quickly as possible to avoid any risks.